back to article HTC Android handsets spew private data to ANY app

A data logger pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private customer information. The vulnerability was spotted by Trevor Eckhart, who informed HTC about it and waited five days for a response. Following that he decided to go public and gave …

COMMENTS

This topic is closed for new posts.

Page:

Stop

Missing word in the headline?

Surely the story should start with the word "Some"? I have a HTC Desire and this service isn't installed on it. Also, those who have rooted and installed a custom ROM will most likely not have it either.

6
6
Silver badge
Go

Neither does the headline say the word 'all' :P

10
6

"Several models are said to be affected, including EVO 3D, EVO 4G, Thunderbolt and potentially the Sensation range."

from: http://www.bbc.co.uk/news/technology-15149588

No mention of the Desire, so hopefully it's safe.

0
0
Anonymous Coward

htc mozart?

Oh is the htc mozart affected? Nah it's a Windows phone so unaffected!!

0
2

Londoners killed in freak bus accident

Presumably you reckon that's about 7 million dead?

2
0
Silver badge
Pint

Sense 3

I believe this came packaged with Sense 3 ROMs.

Of course, if you're sensible, you're running a custom ROM, and if your particular custom ROM still includes it, who cares? Just go right into Titanium Backup and uninstall the bastard!

Job done.

2
0
Gold badge

Except that this is a phone and a huge percentage of users wouldn't even know what a ROM was if you explained it to them.

The fact that there's so many clueless end users who are now vulnerable just shows how Android phones are still largely suited to the IT savvy (aka geeks).

4
2

Android

Except that this isn't an Android bug but a flaw in HTC Sense

1
1

'Except that this isn't an Android bug but a flaw in HTC Sense'

That's true, but it's hard for the average consumer to see the difference. To them, it's no different to buying a windows PC, the assume any bugs are from MS.

1
0

Except the primary reason many people buy HTC is because of HTC Sense, not in spite of it. I too have gone down the custom route in the past but truth be told, I like the extra HTC toys.

My old Hero is running CM7 but I wouldn't put it on my Sensation.

Let me know when there's a custom ROM that includes Sense 3.0 for the Sensation then I may change my mind. Until then, I'll stick with a rooted standard Sense 3.0.

No, I'm not particularly worried about the lastest news. Yes, it's a serious booboo by HTC and I'll have to wait for them to fix things before I download any more apps but as I've got everything I need right now, that's not a big problem.

1
0
Silver badge
Pint

Huh?

I am using a custom ROM with Sense 3 on my Desire HD, let alone the Sensation.

I use Android Revolution HD for my Desire HD, and here's the same thing for the Sensation:

http://forum.xda-developers.com/showthread.php?t=1098849

0
0
Silver badge

That's enough for me...

Cyanogen here I come!

4
3
Silver badge

Ah, the random down vote... Are you an HTC employee, the author of an alternative firmware or someone that doesn't think a service pushed out in manufacturers firmware which allows all your contacts to be grabbed is an issue?

Or just a twat?

4
1
Trollface

perhaps because you should have said "Right, that's it. I'm going to buy an iPhone, they would never snoop on me..."

1
0
Silver badge
Big Brother

Ah yes, of course... Silly me ;-)

0
0
Silver badge

He asks mischeviously

I wonder if this would have been as easy to spot on any other phone OS?

7
5

RE: He asks mischeviously

Er, yes. This is a closed-source HTC service. It was almost certainly discovered through running netstat on a rooted device and looking for open server ports. In no way would it be any harder to find on any other Android OEM's devices or on iOS. It _might_ be harder on Blackberry and WP7 simply because netstat and equivalent tools aren't as readily available.

7
0
Anonymous Coward

(@Robert: Shh don't say that, that's too much facts, not what the HTC fans want to hear.)

Yes HTC fans, you have the best platform. Those reject mongers at Samsung might have trademarked the phrase "The openness of Android" but HTC is the real open one. Yay.

2
5
Stop

It's bad enough we have Android vs iOS vs othermobilesystem wars, let's not degenerate even further into Android OEM A vs Android OEM B conflicts too. Especially not over a misinterpretation of the OP's post - Robert (Harvey) asked whether this would have been as easy to detect on another OS, *not* on another Android device made by someone other than HTC...

2
2
Meh

I don't believe my Desire is affected anyway, but I'm glad that I installed CyanogenMod after HTC refused to give up the 2.3 goods for their paltry memory offerings. I love the hardware, but I'll certainly consider a Windows Phone or another branded Android when my contract's up mid next year.

3
1
Bronze badge

Fail on your part

HTC initially gave up the Gingerbread / 2.3 release on the Desire but a rather large outcry saw them cave and suddenly decide they could release it after chopping out some crap. It's available now if you have an unbranded phone and depending on your network it may be able even if it's branded.

As for affected or not as someone else mentioned this seems to be a Sense 3 release and the Desire is still on an earlier version (2.1 I think).

3
0
Boffin

To quote http://www.telstra.com.au/mobile/phones/smartphones.html (under Software Updates tab just down the page)

HTC Desire Android 'Gingerbread' update HTC will no longer proceed with a mass-market Gingerbread update for Desire due to the memory requirements of Android 2.3

I've just educated myself on the backflip HTC made that Ausdroid reported on June 24th and rather than spare myself the indeterminable date for such an update being made widely available through Telstra, I'd have gone custom firmware anyway. I'm happier with more control of my phone regardless.

0
0
Silver badge

You confirmed as far as "initially gave up", then you gave up.

0
0
Thumb Up

Not on mine

Nexus One with Cyanogen installed, no sign of this .apk file on my phone.

1
0
Silver badge

I have an HTC Desire, so I should probably be concerned about this. What worries me more is that after reading the article my first reaction was: *Justin Case*? Are you serious?

2
0

The Desire doesn't seem to be affected

At least mine (running Android 2.3 from the HTC developer update) isn't.

0
0
Silver badge
Happy

Not on UK Vodafone Sensation

Full file path is:

/system/app/HtcLoggers.apk

2
0
Anonymous Coward

Soooo...

No one jumping to iPhones then?

0
7
Silver badge
FAIL

No

Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app. If and when Apple think this is a good idea [1], you can be assured that they will put it somewhere that users cannot touch and you will be stuck with it unless you jailbreak.

[1] And patent it, and sue HTC for using it.

5
3
FAIL

so I guess you haven't heard about the apple fiasco a few months ago, about the iphone storing its location every while, for any app to see.

4
5
Gold badge

The difference is Apple won't let developers do such stupid things in the first place. Once jailbroken it's a different story of course.

You can call it control freakery if you want, I call it a well founded lack of trust in 3rd party software developers.

2
4
Anonymous Coward

Maybe Apple wouldn't let developers

But what's to stop Apple doing it themselves? The HTC issue is caused by HTC themselves so I fail to see what 3rd party developers have to do with it but you fruity fans know that Apple are so cuddly wuddly and they are your friends and would never dream of being so underhanded to their loyal fans...

Oh wait........

5
3
Anonymous Coward

@crashtest

You're misinformed:

1) Official iOS apps could not read the location cache file

2) The file didn't contain this level of detail, only had the location of nearby phone towers (not the user's)

3) Android had a similar file

So nothing to do with this fiasco.

3
0

You have to root to stop this app, though...

0
0
Silver badge
FAIL

"Apple won't let developers do it"

Had you managed to tear your eyes away from the radiant glory of your iProducts for just long enough to read the article, you would have noticed that the logger was installed by the manufacturer - presumably as part of a firmware rollout. And, had the sight of a sentence not worshipping the Almighty Apple not struck you witless with shock at such a heinous blasphemy, you would also have realised that I was talking about Apple incorporating a similar logger into iOS. At no point did I ever mention a third party developer.

I will, however, gladly accept your invitation to call Apple a bunch of control freaks.

3
1

'so I guess you haven't heard about the apple fiasco a few months ago, about the iphone storing its location every while, for any app to see.'

It wasn't for any app to see, you don't have filesystem access with an iOS app, except to files created by your app or through certain API calls, some media files such as music. In order to breach privacy somebody would either need to hack and root your phone or a law enforcement type would need physical access to the handset.

Sorry, but this is an order of magnitude worse than Apple's location storing - which at least had a sensible purpose behind it. Remember, Google does exactly the same kind of location DB build up, but it does it all server side - which is in some ways better and in some ways much worse.

2
1

A title is required. Flames are optional.

"Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app. If and when Apple think this is a good idea [1], you can be assured that they will put it somewhere that users cannot touch and you will be stuck with it unless you jailbreak."

I switched a while back from an iPhone to an HTC Sensation, and I've found that the Sensation is actually much more tightly locked-down than the iPhone was. When I first switched to the Sensation, no jailbreak was available for it at all. A jailbreak is now available, but it doesn't work on the latest software update.

HTC finally released a (cumbersome) way to legitimately root the Sensation, but (surprise surprise!) only for Sensations on certain carriers. Excluding, naturally, mine.

So the cell phone flame wars about "Android is open, iOS is closed" are, at least in my experience, a load of half-baked, misinformed nonsense. In the Android ecosystems, some phones are definitely much more open than others. (I'm still waiting for someone to break my particular Sensation.)

Mind you, I'm not playing Apple fanboi here. I quite like my Sensation, and I have no plans to go back to an iPhone. In a number of quantifiable ways, the hardware is superior to the iPhone's. The operating system is a mixed bag; there are some bits of Android I find quite a lot better than iOS, and some bits that still really annoy me. This isn't actually about "Android is better!" or "iOS is better!"--it's about the mistaken assumption that because it's Android, that must mean it's open.

1
0
Silver badge

Franklin, Android openness is about being able to do what you want without getting permission from the manufacturer. Put any file or app on it, don't use itunes if you don't want to, etc.

1
0
Silver badge

+++ath0 you're misinformed. Android did not have a similar file. It was server-side and optional.

1
0
Happy

but Apple is baaaad :)

Apple not updating two year old phones - scandal

HTC not updating one year old phones - sensible

At least as far as I'm concerned with my memory handicapped Desire :)

1
0

A title is still required

"Franklin, Android openness is about being able to do what you want without getting permission from the manufacturer."

What I would really like to do with my Sensation is remove the crudware apps that HTC spooned onto it--Peep, the most miserable Twitter client I've ever seen; Slacker, which I gather is an Internet radio service or something; TeleNav, their competitor to Google's GPS nav software.

I can't.

Clearly, from HTC's perspective, Android is *not* about being able to do what I want without permission. Those applications can not be removed from an HTC phone without rooting it, and as I've mentioned above, that doesn't appear possible at the present with my phone.

0
0
Silver badge

Bricks

At least if you do root it, they won't brick it.

0
0
Anonymous Coward

The real question is why are they logging this info

Has HTC turned into Huawei?

4
0
WTF?

The VNC Server was active on Wildfire S yesterday

I asked my girlfriend why she called me & said nothing. She when to her phone & it was doing things all by it self, she call me to it. At that time the alarms were being renamed, Bluetooth had been remotely turned on as had act as Wi-Fi access point. When I unplugged it from the charger it stopped.

4
0
Happy

Still true

Anything iOS can do, Andoid can do better.

4
3
Anonymous Coward

There's no end to some Android owner's insecurity is there? An article that has nothing to do with iOS and you still feel the need to make snide remarks about it. I own devices on both platforms and there's nothing between them. I only prefer iOS because it has the better selection of games and apps.

0
0

The best part is definitely the help menu. I mean it's bad enough that HTC put a back door on their OS so that they can spy on you, but then to add a help menu to facilitate any other bozo spying on you - that's just classic.

6
0

There's a page on XDA developers that explains exactly what it's for.

0
0
Mushroom

yep

and for the lazy

http://www.xda-developers.com/android/ever-wondered-what-htcloggers-apk-is-for-here-is-your-answer/

dailing *#*#482564#*#* get you the menu

4
0

Page:

This topic is closed for new posts.

Forums