On Friday, the Federal Trade Commission (FTC) announced that it had reached a settlement (PDF) with HTC over notable security holes on its millions of tablets and Android handsets. HTC has now agreed to provide a patch within 30 days and be subject to a security review for the next 20 years.
“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,” the agency wrote in its complaint (PDF).
The agency also alleged that HTC’s user manuals “contained deceptive representations." The FTC said that the Tell HTC application, which lets users report errors to HTC, does not actually allow users to opt out of sharing their location, despite a displayed option to do so.
Among other flaws, HTC’s phones also included a preinstalled HTC custom voice application. The voice vulnerability in particular, according to the FTC, “if exploited, would provide any third-party application access to the device’s microphone, even if the third-party application had not requested permission for that functionality.”
As the agency wrote in its own original complaint:
HTC could have prevented this by including simple, well-documented software code —“permission check” code—in its voice recorder application to check that the third-party application had requested the necessary permission. Because HTC failed in numerous instances to include permission check code in its custom, pre-installed applications, any third-party application exploiting these vulnerabilities could command those HTC applications to access various sensitive information and sensitive device functionality on its behalf—including enabling the device’s microphone; accessing the user’s GPS-based, cell-based, and WiFi-based location information; and sending text messages—all without requesting the user’s permission.
reader comments
38