If you’ve got one of HTC’s popular Android phones, such as the Evo 4G, Evo 3D or Thunderbolt, your phone may be giving apps you’ve installed a huge amount of personal data — information that you didn’t authorize those apps to have access to.
The reported vulnerability, according to Artem Russakovskii of AndroidPolice.com, comes about due to a flawed logging application contained within the most recent version of the HTC Sense user interface, a custom skin that HTC includes with its Android phones.
When you grant apps access to the phone’s internet capabilities (permission that would ordinarily only allow the app to access the web for uploading and downloading data), HTC’s logging application also grants access to a whole host of other data. That data, Russakovskii says, includes:
- active notifications in the notification bar
- build number, bootloader version, radio version, kernel version
- network info, including IP addresses
- full memory info
- CPU info
- file system info and free space on each partition
- running processes
- current snapshot/stacktrace of every running process and thread
- list of installed apps, including permissions used, user ids, versions, and more
- system properties/variables
- currently active broadcast listeners and history of past broadcasts received
- currently active content providers
- battery info and status
“Theoretically, it may be possible to clone a device using only a small subset of the information leaked here,” Russakovskii adds.
Apparently, HTC installed a suite of logging tools — for a purpose that’s still unclear — but neglected to secure the data that was being logged. The discovery was made by Trevor Eckhart, a security researcher.
“It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door,” Russakovskii writes.
We contacted a HTC spokesperson today, who provided this response: “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.”
Removing the vulnerability is not possible without rooting the device, removing the HTC Sense software, or waiting for an update from HTC, Russakovskii says. He has also provided a proof of concept app that you can install to determine if your phone is susceptible.
For more details, see the Android Police blog post.