In recent updates to some of its android devices, HTC enabled some pretty exhaustive data-logging. The purpose was likely to collect information for statistics or helping users troubleshoot. Now, if you’re going to collect this sort of data, you’re going to want to keep it locked up considering that users generally don’t respond well to their data being leaked. Unfortunately, that’s not the case with these new updates. In fact, the data — all of it — is pretty trivial for any app to collect.
Trevor Eckhart was the first to find the warning signs, after which he teamed up with Justin Case and Artem Russakovskii of Android Police to try and get to the bottom of the situation. It seems that the situation can be adequately summed up this way: Any app can get information like encoded texts, limited location history, and phone numbers from the call log if it is just given permission to access the Internet.
Right after the discoveries were made, Eckhart alerted HTC, but recieved no response in the following five days. He then released the information publicly in hopes of spurring HTC into action. Unfortunately, that also means that the information is all out there now.
Android Police puts the blame squarely on HTC’s shoulders, saying that the vulnerability is entirely due to sloppiness on their part. A fix for the vulnerability would apparently require a firmware update, although users can take action to protect their data by rooting their phones and removing the loggers.
List of affected phones via Android Police:
List of the vulnerable data (found so far):
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
- active notifications in the notification bar, including notification text
- build number, bootloader version, radio version, kernel version
- network info, including IP addresses
- full memory info
- CPU info
- file system info and free space on each partition
- running processes
- current snapshot/stacktrace of not only every running process but every running thread
- list of installed apps, including permissions used, user ids, versions, and more
- system properties/variables
- currently active broadcast listeners and history of past broadcasts received
- currently active content providers
- battery info and status, including charging/wake lock history
- and more
Hopefully a fix for the vulnerability can be pushed soon enough, before more user data is pushed out.
(via Android Police)