back to article HTC Android handsets spew private data to ANY app

A data logger pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private customer information. The vulnerability was spotted by Trevor Eckhart, who informed HTC about it and waited five days for a response. Following that he decided to go public and gave …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Stop

    Missing word in the headline?

    Surely the story should start with the word "Some"? I have a HTC Desire and this service isn't installed on it. Also, those who have rooted and installed a custom ROM will most likely not have it either.

    1. diodesign Silver badge
      Go

      Neither does the headline say the word 'all' :P

    2. PatientOne

      "Several models are said to be affected, including EVO 3D, EVO 4G, Thunderbolt and potentially the Sensation range."

      from: http://www.bbc.co.uk/news/technology-15149588

      No mention of the Desire, so hopefully it's safe.

      1. Anonymous Coward
        Anonymous Coward

        htc mozart?

        Oh is the htc mozart affected? Nah it's a Windows phone so unaffected!!

    3. Chris 3

      Londoners killed in freak bus accident

      Presumably you reckon that's about 7 million dead?

  2. Piro Silver badge
    Pint

    Sense 3

    I believe this came packaged with Sense 3 ROMs.

    Of course, if you're sensible, you're running a custom ROM, and if your particular custom ROM still includes it, who cares? Just go right into Titanium Backup and uninstall the bastard!

    Job done.

    1. Giles Jones Gold badge

      Except that this is a phone and a huge percentage of users wouldn't even know what a ROM was if you explained it to them.

      The fact that there's so many clueless end users who are now vulnerable just shows how Android phones are still largely suited to the IT savvy (aka geeks).

      1. Chewy

        Android

        Except that this isn't an Android bug but a flaw in HTC Sense

        1. cloudgazer

          'Except that this isn't an Android bug but a flaw in HTC Sense'

          That's true, but it's hard for the average consumer to see the difference. To them, it's no different to buying a windows PC, the assume any bugs are from MS.

    2. Daleos

      Except the primary reason many people buy HTC is because of HTC Sense, not in spite of it. I too have gone down the custom route in the past but truth be told, I like the extra HTC toys.

      My old Hero is running CM7 but I wouldn't put it on my Sensation.

      Let me know when there's a custom ROM that includes Sense 3.0 for the Sensation then I may change my mind. Until then, I'll stick with a rooted standard Sense 3.0.

      No, I'm not particularly worried about the lastest news. Yes, it's a serious booboo by HTC and I'll have to wait for them to fix things before I download any more apps but as I've got everything I need right now, that's not a big problem.

      1. Piro Silver badge
        Pint

        Huh?

        I am using a custom ROM with Sense 3 on my Desire HD, let alone the Sensation.

        I use Android Revolution HD for my Desire HD, and here's the same thing for the Sensation:

        http://forum.xda-developers.com/showthread.php?t=1098849

  3. Steve Evans

    That's enough for me...

    Cyanogen here I come!

    1. Steve Evans

      Ah, the random down vote... Are you an HTC employee, the author of an alternative firmware or someone that doesn't think a service pushed out in manufacturers firmware which allows all your contacts to be grabbed is an issue?

      Or just a twat?

      1. Shonko Kid
        Trollface

        perhaps because you should have said "Right, that's it. I'm going to buy an iPhone, they would never snoop on me..."

        1. Steve Evans
          Big Brother

          Ah yes, of course... Silly me ;-)

  4. Robert E A Harvey

    He asks mischeviously

    I wonder if this would have been as easy to spot on any other phone OS?

    1. Robert Synnott

      RE: He asks mischeviously

      Er, yes. This is a closed-source HTC service. It was almost certainly discovered through running netstat on a rooted device and looking for open server ports. In no way would it be any harder to find on any other Android OEM's devices or on iOS. It _might_ be harder on Blackberry and WP7 simply because netstat and equivalent tools aren't as readily available.

      1. Anonymous Coward
        Anonymous Coward

        (@Robert: Shh don't say that, that's too much facts, not what the HTC fans want to hear.)

        Yes HTC fans, you have the best platform. Those reject mongers at Samsung might have trademarked the phrase "The openness of Android" but HTC is the real open one. Yay.

        1. ChrisC Silver badge
          Stop

          It's bad enough we have Android vs iOS vs othermobilesystem wars, let's not degenerate even further into Android OEM A vs Android OEM B conflicts too. Especially not over a misinterpretation of the OP's post - Robert (Harvey) asked whether this would have been as easy to detect on another OS, *not* on another Android device made by someone other than HTC...

  5. P Zero
    Meh

    I don't believe my Desire is affected anyway, but I'm glad that I installed CyanogenMod after HTC refused to give up the 2.3 goods for their paltry memory offerings. I love the hardware, but I'll certainly consider a Windows Phone or another branded Android when my contract's up mid next year.

    1. PaulR79

      Fail on your part

      HTC initially gave up the Gingerbread / 2.3 release on the Desire but a rather large outcry saw them cave and suddenly decide they could release it after chopping out some crap. It's available now if you have an unbranded phone and depending on your network it may be able even if it's branded.

      As for affected or not as someone else mentioned this seems to be a Sense 3 release and the Desire is still on an earlier version (2.1 I think).

      1. P Zero
        Boffin

        To quote http://www.telstra.com.au/mobile/phones/smartphones.html (under Software Updates tab just down the page)

        HTC Desire Android 'Gingerbread' update HTC will no longer proceed with a mass-market Gingerbread update for Desire due to the memory requirements of Android 2.3

        I've just educated myself on the backflip HTC made that Ausdroid reported on June 24th and rather than spare myself the indeterminable date for such an update being made widely available through Telstra, I'd have gone custom firmware anyway. I'm happier with more control of my phone regardless.

        1. Craigness

          You confirmed as far as "initially gave up", then you gave up.

  6. Skrrp
    Thumb Up

    Not on mine

    Nexus One with Cyanogen installed, no sign of this .apk file on my phone.

  7. auburnman

    I have an HTC Desire, so I should probably be concerned about this. What worries me more is that after reading the article my first reaction was: *Justin Case*? Are you serious?

    1. Anonymous Coward
      Anonymous Coward

      The Desire doesn't seem to be affected

      At least mine (running Android 2.3 from the HTC developer update) isn't.

  8. Eponymous Cowherd
    Happy

    Not on UK Vodafone Sensation

    Full file path is:

    /system/app/HtcLoggers.apk

  9. Anonymous Coward
    Anonymous Coward

    Soooo...

    No one jumping to iPhones then?

    1. Jedit Silver badge
      FAIL

      No

      Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app. If and when Apple think this is a good idea [1], you can be assured that they will put it somewhere that users cannot touch and you will be stuck with it unless you jailbreak.

      [1] And patent it, and sue HTC for using it.

      1. Giles Jones Gold badge

        The difference is Apple won't let developers do such stupid things in the first place. Once jailbroken it's a different story of course.

        You can call it control freakery if you want, I call it a well founded lack of trust in 3rd party software developers.

        1. Anonymous Coward
          Anonymous Coward

          Maybe Apple wouldn't let developers

          But what's to stop Apple doing it themselves? The HTC issue is caused by HTC themselves so I fail to see what 3rd party developers have to do with it but you fruity fans know that Apple are so cuddly wuddly and they are your friends and would never dream of being so underhanded to their loyal fans...

          Oh wait........

        2. Jedit Silver badge
          FAIL

          "Apple won't let developers do it"

          Had you managed to tear your eyes away from the radiant glory of your iProducts for just long enough to read the article, you would have noticed that the logger was installed by the manufacturer - presumably as part of a firmware rollout. And, had the sight of a sentence not worshipping the Almighty Apple not struck you witless with shock at such a heinous blasphemy, you would also have realised that I was talking about Apple incorporating a similar logger into iOS. At no point did I ever mention a third party developer.

          I will, however, gladly accept your invitation to call Apple a bunch of control freaks.

      2. Robert Synnott

        You have to root to stop this app, though...

      3. Franklin

        A title is required. Flames are optional.

        "Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app. If and when Apple think this is a good idea [1], you can be assured that they will put it somewhere that users cannot touch and you will be stuck with it unless you jailbreak."

        I switched a while back from an iPhone to an HTC Sensation, and I've found that the Sensation is actually much more tightly locked-down than the iPhone was. When I first switched to the Sensation, no jailbreak was available for it at all. A jailbreak is now available, but it doesn't work on the latest software update.

        HTC finally released a (cumbersome) way to legitimately root the Sensation, but (surprise surprise!) only for Sensations on certain carriers. Excluding, naturally, mine.

        So the cell phone flame wars about "Android is open, iOS is closed" are, at least in my experience, a load of half-baked, misinformed nonsense. In the Android ecosystems, some phones are definitely much more open than others. (I'm still waiting for someone to break my particular Sensation.)

        Mind you, I'm not playing Apple fanboi here. I quite like my Sensation, and I have no plans to go back to an iPhone. In a number of quantifiable ways, the hardware is superior to the iPhone's. The operating system is a mixed bag; there are some bits of Android I find quite a lot better than iOS, and some bits that still really annoy me. This isn't actually about "Android is better!" or "iOS is better!"--it's about the mistaken assumption that because it's Android, that must mean it's open.

        1. Craigness

          Franklin, Android openness is about being able to do what you want without getting permission from the manufacturer. Put any file or app on it, don't use itunes if you don't want to, etc.

          1. Franklin

            A title is still required

            "Franklin, Android openness is about being able to do what you want without getting permission from the manufacturer."

            What I would really like to do with my Sensation is remove the crudware apps that HTC spooned onto it--Peep, the most miserable Twitter client I've ever seen; Slacker, which I gather is an Internet radio service or something; TeleNav, their competitor to Google's GPS nav software.

            I can't.

            Clearly, from HTC's perspective, Android is *not* about being able to do what I want without permission. Those applications can not be removed from an HTC phone without rooting it, and as I've mentioned above, that doesn't appear possible at the present with my phone.

            1. Craigness

              Bricks

              At least if you do root it, they won't brick it.

    2. crashtest
      FAIL

      so I guess you haven't heard about the apple fiasco a few months ago, about the iphone storing its location every while, for any app to see.

      1. Anonymous Coward
        Anonymous Coward

        @crashtest

        You're misinformed:

        1) Official iOS apps could not read the location cache file

        2) The file didn't contain this level of detail, only had the location of nearby phone towers (not the user's)

        3) Android had a similar file

        So nothing to do with this fiasco.

        1. Craigness

          +++ath0 you're misinformed. Android did not have a similar file. It was server-side and optional.

        2. Volker Hett
          Happy

          but Apple is baaaad :)

          Apple not updating two year old phones - scandal

          HTC not updating one year old phones - sensible

          At least as far as I'm concerned with my memory handicapped Desire :)

      2. cloudgazer

        'so I guess you haven't heard about the apple fiasco a few months ago, about the iphone storing its location every while, for any app to see.'

        It wasn't for any app to see, you don't have filesystem access with an iOS app, except to files created by your app or through certain API calls, some media files such as music. In order to breach privacy somebody would either need to hack and root your phone or a law enforcement type would need physical access to the handset.

        Sorry, but this is an order of magnitude worse than Apple's location storing - which at least had a sensible purpose behind it. Remember, Google does exactly the same kind of location DB build up, but it does it all server side - which is in some ways better and in some ways much worse.

  10. Anonymous Coward
    Anonymous Coward

    The real question is why are they logging this info

    Has HTC turned into Huawei?

  11. CJatCTi
    WTF?

    The VNC Server was active on Wildfire S yesterday

    I asked my girlfriend why she called me & said nothing. She when to her phone & it was doing things all by it self, she call me to it. At that time the alarms were being renamed, Bluetooth had been remotely turned on as had act as Wi-Fi access point. When I unplugged it from the charger it stopped.

  12. Wang N Staines
    Happy

    Still true

    Anything iOS can do, Andoid can do better.

    1. Anonymous Coward
      Anonymous Coward

      There's no end to some Android owner's insecurity is there? An article that has nothing to do with iOS and you still feel the need to make snide remarks about it. I own devices on both platforms and there's nothing between them. I only prefer iOS because it has the better selection of games and apps.

  13. cloudgazer

    The best part is definitely the help menu. I mean it's bad enough that HTC put a back door on their OS so that they can spy on you, but then to add a help menu to facilitate any other bozo spying on you - that's just classic.

  14. mmm mmm

    There's a page on XDA developers that explains exactly what it's for.

    1. Phil Wray
      Mushroom

      yep

      and for the lazy

      http://www.xda-developers.com/android/ever-wondered-what-htcloggers-apk-is-for-here-is-your-answer/

      dailing *#*#482564#*#* get you the menu

  15. bazza Silver badge

    From HTC:

    All your data are belong to us.

  16. katx5h
    Thumb Up

    NOT on HTC Glacier running MIUI Custom ROM

    HtlLogger.apk is not found on the HTC Glacier (My Touch 4G) running the MIUI Custom ROM.

  17. Alan Firminger

    As was writ above, this was in the app. But the OS lets it do it.

    The OS has to permit access all parts, because the references are there to be used. And what is the point of the smartphone if it is not to run apps.

    So the system is totally insecure. This will run and run.

    1. Daleos

      No it won't. It'll run until it's fixed. This is obviously a fsck up by HTC than some evil plan. It's an issuse related to HTC Sense 3.0, not Android.

      If HTC get this sorted out promptly, it'll be pretty much forgotten in a couple of months. Of, course, if they drag their feet on this then they deserve the worst.

      1. Anonymous Coward
        Anonymous Coward

        Well I'm sorry fsck up or not it still doesn't explain why HTC is compiling all this info into a log file (and let's not forget even when patched the log file will be accessible if the phone is rooted)

        There was a huge hoopla over much more innocuous cache files of both iOS and Android some time ago, and now this?

        Not sure why the media isn't raising a stink over this.

        1. Craigness

          Metavisor, there was a hoopla over the cached files in iOS. Android didn't store location data in the phone (and didn't store it at all if it didn't have your permission), whereas Apple made it available to anyone with access to the device. There is no big outcry about this new one because it doesn't affect 100 million people - only those with Sense 3 - but mostly because it's not Apple. There is a lot of hoopla about a new phone being announced today, but never about android phones. There was more press about the announcement of the announcement for iphone than there was for any android phone. Android gets neither free marketing nor free security announcements.

  18. TheRegistrar

    If affected, expect an update

    All HTC need to do is update affected systems so that authorisation isn't just given to any app requesting internet permissions, which is what the issue seems to be. Add authentication to the logging app and lock down the permissions to the log file.

    Even those who root their phones tend to run superuser control apps, which alert the user to requests for privileged access from apps that make use of it. These apps could add a feature to authorise to the HTC logged data.

    1. bazza Silver badge

      @TheRegistrar: An update? Are you kidding?

      And exactly what speedy and pervasive update mechanism is available to HTC to ensure that every HTC phone out there would actually receive such an update? Ah yes, none.

      1. Craigness
        FAIL

        bazza, the technology you're looking for is "over the air updates". HTC does do those.

        1. cloudgazer

          @craigness

          No, the carriers do - or more often, don't. Android & WP7 OEMs don't have the ability to push updates to end-users without carrier involvement - unlike Apple - which made a big point of wrestling this right away from the carriers right at the get go.

          1. Craigness

            No, HTC does

            HTC does the HTC over the air updates. I've got an HTC phone and I had an HTC over the air update from HTC.

  19. Kurt 4
    Megaphone

    photon

    Another good reason to get the Motorola Photon. Mine rocks.

    1. Anonymous Coward
      Anonymous Coward

      Optional

      I'm sorry to hear that, have you tried a little wedge under one side? ;o)

This topic is closed for new posts.

Other stories you might like