Gaping Hole in HTC Android Security

It is getting to the point where smartphone users would be safer binning their radio-enabled computers and just walking around town wearing t-shirts emblazoned with the PIN numbers for their ATM cards. Several popular Android phones by HTC have been added to the roll call of complacent phone security, thanks to the investigation work of Trevor Eckhart. The video below shows a simple app created by Trevor for HTC Android phones. By giving the app the innocuous-sounding ‘INTERNET’ permission, you also give the app access to extraordinary and excessive volumes of data, much of it having severe implications for the user’s privacy and security.

In short, once given the ‘INTERNET’ permission by the user, the app gets to know the list of user accounts and email addresses for each them, your last network and GPS location, phone numbers from the phone log, encrypted SMS text (which may be possible to decrypt), system logs (with all the sensitive data they capture), your shoe size and your favourite colour of underwear (okay, I made the last two up). And the permission also allows the app to send data across the internet (the clue is in the name of the permission) which means one dodgy app + one unguarded button press = all that data being fired off to a remote server for heck knows what purpose (spying, crime… you get the idea).

You can read more about this story at Android Police. However, I predict that repeated stories about lax security can only lead users to switch off from all the bad news – and switch off their phones as well.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.