back to article HTC Android handsets spew private data to ANY app

A data logger pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private customer information. The vulnerability was spotted by Trevor Eckhart, who informed HTC about it and waited five days for a response. Following that he decided to go public and gave …


This topic is closed for new posts.


  1. Peter Lee

    Missing word in the headline?

    Surely the story should start with the word "Some"? I have a HTC Desire and this service isn't installed on it. Also, those who have rooted and installed a custom ROM will most likely not have it either.

    1. diodesign Silver badge

      Neither does the headline say the word 'all' :P

    2. PatientOne

      "Several models are said to be affected, including EVO 3D, EVO 4G, Thunderbolt and potentially the Sensation range."


      No mention of the Desire, so hopefully it's safe.

      1. Anonymous Coward
        Anonymous Coward

        htc mozart?

        Oh is the htc mozart affected? Nah it's a Windows phone so unaffected!!

    3. Chris 3

      Londoners killed in freak bus accident

      Presumably you reckon that's about 7 million dead?

  2. Piro

    Sense 3

    I believe this came packaged with Sense 3 ROMs.

    Of course, if you're sensible, you're running a custom ROM, and if your particular custom ROM still includes it, who cares? Just go right into Titanium Backup and uninstall the bastard!

    Job done.

    1. Giles Jones Gold badge

      Except that this is a phone and a huge percentage of users wouldn't even know what a ROM was if you explained it to them.

      The fact that there's so many clueless end users who are now vulnerable just shows how Android phones are still largely suited to the IT savvy (aka geeks).

      1. Chewy


        Except that this isn't an Android bug but a flaw in HTC Sense

        1. cloudgazer

          'Except that this isn't an Android bug but a flaw in HTC Sense'

          That's true, but it's hard for the average consumer to see the difference. To them, it's no different to buying a windows PC, the assume any bugs are from MS.

    2. Daleos

      Except the primary reason many people buy HTC is because of HTC Sense, not in spite of it. I too have gone down the custom route in the past but truth be told, I like the extra HTC toys.

      My old Hero is running CM7 but I wouldn't put it on my Sensation.

      Let me know when there's a custom ROM that includes Sense 3.0 for the Sensation then I may change my mind. Until then, I'll stick with a rooted standard Sense 3.0.

      No, I'm not particularly worried about the lastest news. Yes, it's a serious booboo by HTC and I'll have to wait for them to fix things before I download any more apps but as I've got everything I need right now, that's not a big problem.

      1. Piro


        I am using a custom ROM with Sense 3 on my Desire HD, let alone the Sensation.

        I use Android Revolution HD for my Desire HD, and here's the same thing for the Sensation:

  3. Steve Evans

    That's enough for me...

    Cyanogen here I come!

    1. Steve Evans

      Ah, the random down vote... Are you an HTC employee, the author of an alternative firmware or someone that doesn't think a service pushed out in manufacturers firmware which allows all your contacts to be grabbed is an issue?

      Or just a twat?

      1. Shonko Kid

        perhaps because you should have said "Right, that's it. I'm going to buy an iPhone, they would never snoop on me..."

        1. Steve Evans
          Big Brother

          Ah yes, of course... Silly me ;-)

  4. Robert E A Harvey

    He asks mischeviously

    I wonder if this would have been as easy to spot on any other phone OS?

    1. Robert Synnott

      RE: He asks mischeviously

      Er, yes. This is a closed-source HTC service. It was almost certainly discovered through running netstat on a rooted device and looking for open server ports. In no way would it be any harder to find on any other Android OEM's devices or on iOS. It _might_ be harder on Blackberry and WP7 simply because netstat and equivalent tools aren't as readily available.

      1. Anonymous Coward
        Anonymous Coward

        (@Robert: Shh don't say that, that's too much facts, not what the HTC fans want to hear.)

        Yes HTC fans, you have the best platform. Those reject mongers at Samsung might have trademarked the phrase "The openness of Android" but HTC is the real open one. Yay.

        1. ChrisC

          It's bad enough we have Android vs iOS vs othermobilesystem wars, let's not degenerate even further into Android OEM A vs Android OEM B conflicts too. Especially not over a misinterpretation of the OP's post - Robert (Harvey) asked whether this would have been as easy to detect on another OS, *not* on another Android device made by someone other than HTC...

  5. P Zero

    I don't believe my Desire is affected anyway, but I'm glad that I installed CyanogenMod after HTC refused to give up the 2.3 goods for their paltry memory offerings. I love the hardware, but I'll certainly consider a Windows Phone or another branded Android when my contract's up mid next year.

    1. PaulR79

      Fail on your part

      HTC initially gave up the Gingerbread / 2.3 release on the Desire but a rather large outcry saw them cave and suddenly decide they could release it after chopping out some crap. It's available now if you have an unbranded phone and depending on your network it may be able even if it's branded.

      As for affected or not as someone else mentioned this seems to be a Sense 3 release and the Desire is still on an earlier version (2.1 I think).

      1. P Zero

        To quote (under Software Updates tab just down the page)

        HTC Desire Android 'Gingerbread' update HTC will no longer proceed with a mass-market Gingerbread update for Desire due to the memory requirements of Android 2.3

        I've just educated myself on the backflip HTC made that Ausdroid reported on June 24th and rather than spare myself the indeterminable date for such an update being made widely available through Telstra, I'd have gone custom firmware anyway. I'm happier with more control of my phone regardless.

        1. Craigness

          You confirmed as far as "initially gave up", then you gave up.

  6. Skrrp
    Thumb Up

    Not on mine

    Nexus One with Cyanogen installed, no sign of this .apk file on my phone.

  7. auburnman

    I have an HTC Desire, so I should probably be concerned about this. What worries me more is that after reading the article my first reaction was: *Justin Case*? Are you serious?

    1. Peter Lee

      The Desire doesn't seem to be affected

      At least mine (running Android 2.3 from the HTC developer update) isn't.

  8. Eponymous Cowherd

    Not on UK Vodafone Sensation

    Full file path is:


  9. Anonymous Coward
    Anonymous Coward


    No one jumping to iPhones then?

    1. Jedit


      Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app. If and when Apple think this is a good idea [1], you can be assured that they will put it somewhere that users cannot touch and you will be stuck with it unless you jailbreak.

      [1] And patent it, and sue HTC for using it.

      1. Giles Jones Gold badge

        The difference is Apple won't let developers do such stupid things in the first place. Once jailbroken it's a different story of course.

        You can call it control freakery if you want, I call it a well founded lack of trust in 3rd party software developers.

        1. Anonymous Coward
          Anonymous Coward

          Maybe Apple wouldn't let developers

          But what's to stop Apple doing it themselves? The HTC issue is caused by HTC themselves so I fail to see what 3rd party developers have to do with it but you fruity fans know that Apple are so cuddly wuddly and they are your friends and would never dream of being so underhanded to their loyal fans...

          Oh wait........

        2. Jedit

          "Apple won't let developers do it"

          Had you managed to tear your eyes away from the radiant glory of your iProducts for just long enough to read the article, you would have noticed that the logger was installed by the manufacturer - presumably as part of a firmware rollout. And, had the sight of a sentence not worshipping the Almighty Apple not struck you witless with shock at such a heinous blasphemy, you would also have realised that I was talking about Apple incorporating a similar logger into iOS. At no point did I ever mention a third party developer.

          I will, however, gladly accept your invitation to call Apple a bunch of control freaks.

      2. Robert Synnott

        You have to root to stop this app, though...

      3. Franklin

        A title is required. Flames are optional.

        "Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app. If and when Apple think this is a good idea [1], you can be assured that they will put it somewhere that users cannot touch and you will be stuck with it unless you jailbreak."

        I switched a while back from an iPhone to an HTC Sensation, and I've found that the Sensation is actually much more tightly locked-down than the iPhone was. When I first switched to the Sensation, no jailbreak was available for it at all. A jailbreak is now available, but it doesn't work on the latest software update.

        HTC finally released a (cumbersome) way to legitimately root the Sensation, but (surprise surprise!) only for Sensations on certain carriers. Excluding, naturally, mine.

        So the cell phone flame wars about "Android is open, iOS is closed" are, at least in my experience, a load of half-baked, misinformed nonsense. In the Android ecosystems, some phones are definitely much more open than others. (I'm still waiting for someone to break my particular Sensation.)

        Mind you, I'm not playing Apple fanboi here. I quite like my Sensation, and I have no plans to go back to an iPhone. In a number of quantifiable ways, the hardware is superior to the iPhone's. The operating system is a mixed bag; there are some bits of Android I find quite a lot better than iOS, and some bits that still really annoy me. This isn't actually about "Android is better!" or "iOS is better!"--it's about the mistaken assumption that because it's Android, that must mean it's open.

        1. Craigness

          Franklin, Android openness is about being able to do what you want without getting permission from the manufacturer. Put any file or app on it, don't use itunes if you don't want to, etc.

          1. Franklin

            A title is still required

            "Franklin, Android openness is about being able to do what you want without getting permission from the manufacturer."

            What I would really like to do with my Sensation is remove the crudware apps that HTC spooned onto it--Peep, the most miserable Twitter client I've ever seen; Slacker, which I gather is an Internet radio service or something; TeleNav, their competitor to Google's GPS nav software.

            I can't.

            Clearly, from HTC's perspective, Android is *not* about being able to do what I want without permission. Those applications can not be removed from an HTC phone without rooting it, and as I've mentioned above, that doesn't appear possible at the present with my phone.

            1. Craigness


              At least if you do root it, they won't brick it.

    2. crashtest

      so I guess you haven't heard about the apple fiasco a few months ago, about the iphone storing its location every while, for any app to see.

      1. Anonymous Coward
        Anonymous Coward


        You're misinformed:

        1) Official iOS apps could not read the location cache file

        2) The file didn't contain this level of detail, only had the location of nearby phone towers (not the user's)

        3) Android had a similar file

        So nothing to do with this fiasco.

        1. Craigness

          +++ath0 you're misinformed. Android did not have a similar file. It was server-side and optional.

        2. Volker Hett

          but Apple is baaaad :)

          Apple not updating two year old phones - scandal

          HTC not updating one year old phones - sensible

          At least as far as I'm concerned with my memory handicapped Desire :)

      2. cloudgazer

        'so I guess you haven't heard about the apple fiasco a few months ago, about the iphone storing its location every while, for any app to see.'

        It wasn't for any app to see, you don't have filesystem access with an iOS app, except to files created by your app or through certain API calls, some media files such as music. In order to breach privacy somebody would either need to hack and root your phone or a law enforcement type would need physical access to the handset.

        Sorry, but this is an order of magnitude worse than Apple's location storing - which at least had a sensible purpose behind it. Remember, Google does exactly the same kind of location DB build up, but it does it all server side - which is in some ways better and in some ways much worse.

  10. Anonymous Coward
    Anonymous Coward

    The real question is why are they logging this info

    Has HTC turned into Huawei?

  11. CJatCTi

    The VNC Server was active on Wildfire S yesterday

    I asked my girlfriend why she called me & said nothing. She when to her phone & it was doing things all by it self, she call me to it. At that time the alarms were being renamed, Bluetooth had been remotely turned on as had act as Wi-Fi access point. When I unplugged it from the charger it stopped.

  12. Wang N Staines

    Still true

    Anything iOS can do, Andoid can do better.

    1. Anonymous Coward
      Anonymous Coward

      There's no end to some Android owner's insecurity is there? An article that has nothing to do with iOS and you still feel the need to make snide remarks about it. I own devices on both platforms and there's nothing between them. I only prefer iOS because it has the better selection of games and apps.

  13. cloudgazer

    The best part is definitely the help menu. I mean it's bad enough that HTC put a back door on their OS so that they can spy on you, but then to add a help menu to facilitate any other bozo spying on you - that's just classic.

  14. mmm mmm

    There's a page on XDA developers that explains exactly what it's for.

    1. Phil Wray


      and for the lazy

      dailing *#*#482564#*#* get you the menu


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019