HTC & Samsung’s Security Issues Putting Android Users in Hot Water

HTC & Samsung’s Security Issues Putting Android Users in Hot Water

Oct 5, 2011

Security is becoming an unfortunate hot-button issue in the Android world as of late, with one major phone manufacturer in hot water over a data leakage, and a new phone that features a silly glitch that compromises a phone’s lock settings.

HTC Android phones feature a security issue where any app that requests Internet access can get access to an extreme amount of data that could be used to clone the phone and access sensitive user information. Malicious apps could get access to the user’s accounts, phone numbers, text messages, GPS data, and system log dumps that contain vast swaths of information that could be recovered from them. Again, this can be done just simply through an app that requests internet access. Android Police, who originally reported this story, created a proof of concept app that shows just what data can be acquired through this security chasm. As well, there’s a suspicious VNC server app that HTC has added, and there exists the possibility that a hacker could find a way to activate this and take complete control over a user’s phone.

Luckily, not all HTC phones are affected, though the Evo 4G, Evo 3D, Thunderbolt, and possibly other phones could be affected. Users who root can delete one APK, /system/app/HtcLoggers.apk to help fix this vulnerability. Some custom roms, such as CyanogenMod, do not feature this vulnerability at all. Similar to the PDF exploits that led to JailbreakMe on iOS, the way to make one’s phone safer is to hack it in order to remove vulnerabilties. Oh, the irony. HTC was notified of the vulnerability a week before the post went up, but didn’t promise a fix until October 4th (3 days after the story was initially reported), and an over-the-air update patching the vulnerability is in the works.

However, other Android manufacturers can’t just sit back and laugh at their competitor’s misfortune; Samsung’s Galaxy S2 has issues in the US. Specifically, the AT&T version of the Galaxy S2 can have lock screen security bypassed by waking a device by tapping the lock key, letting the screen time out, and then pressing the lock key once again. This will bypass any security on the AT&T Galaxy S2; reports indicate that the Sprint Galaxy S2 does not suffer from this issue.

Apparently Android manufacturers need to keep a tighter lock on their devices’ security, as users could potentially find their devices and sensitive data compromised by shoddy programming.