HTC bookmark images -- FUD free

Everyone should be concerned with their security -- especially when we're dealing with devices that can get lost, stolen or left in bars by accident.  A piece at BGR calls into question bookmark thumbnails that aren't deleted on hard-reset on the HTC Droid Incredible.  But the question is "Why?"

In an effort to stop any panic and FUD, let's break it down to see exactly what is happening, and see why it's not as big a deal as many are making it.  Follow the break to see our take on the whole issue.

What is going on?

The HTC Sense browser is closely tied in with the rest of Sense.  You know that nice bookmark widget that shows a preview of your pages?  Those previews have to come from somewhere, and it only makes Sense (see what I did there?) to collect them from the browser during your browsing sessions.

HTC Bookmarks widget

Those are the images everyone is talking about.  Yep.  Those innocent looking browser thumbnails.  All the speculation about HTC spying and stealing your info can be translated into HTC is caching small thumbnails to be used as bookmark images if you decide you want to use the bookmarks widget.

To make the whole situation worse (and likely the reason it got all blown out of proportion) is that on the HTC Incredible, the images are stored in internal storage.  Remember that the Incredible has 6 gigabytes of storage built in (plus the microSD card for good measure). And the internal storage is where it's saving these images, instead of on the microSD card like on other phones. And just like any pictures, music and movies you might have stored there, these images aren't deleted when you wipe your user data.

Just like they aren't wiped on ANY other phone that stores media on an SD card. 

The internal storage on the Incredible is in a completely separate area from your actual user data.  Don't believe me?  Plug your DInc into your PC, mount the Internal storage partition and look for a folder named emmc\.bookmark_thumb1\ .  It will look just like the sdcard\.bookmark_thumb1\ folder in my example picture above.  I don't have an Incredible or I would show you myself. 

Is it a genuine security concern?

No, and yes.  Many Android applications store images and other data on your phone's dedicated media storage area, which more often than not is on the microSD card.  This is fine, and it beats the heck out of using up precious space for apps.  The only time an issue could arise is if someone were to code an app that looks for the .bookmark_thumb1 folder and uploads the images somewhere.  It can't do this without asking for permission (so read those app permissions when installing), and even if it could there's no difference between what the HTC browser is doing and what Firefox or IE is doing on your home computer.  Internet cache saves processor time and battery life.  We welcome it.  To round it all up, passwords are saved as ****** on these thumbnails as well.

I still don't like it, so what can I do?

After each browsing session, delete the .bookmark_thumb1 folder with a file manager for a temporary fix. For a more permanent solution, delete the .bookmark_thumb1 folder, and replace it with an empty text file named .bookmark_thumb1. Put it in the same place where the original folder was, and this will keep the folder from re-generating. Kinda destroys the look of your bookmarks widget, but we always have a choice when using Android.

So relax, everyone. HTC isn't selling you up the river or trying to crack into your bank account.  They don't care what internet sites you're surfing, and even if they did they aren't checking. 

 

Reader comments

Inside the Great Bookmark Thumbnail Scare of June 17, 2010 (aka Relax!)

29 Comments
Sort by Rating

Looks like Windows 7, but I fail to see how that is relevant.

Thanks for the writeup, now maybe all the foil cap wearing folk can calm down a wee bit.

Rockcrawler you made my night with that comment lol LOVE IT!!!!!! I agree with all below THANK GOD FOR SOME D-INC NEWS. What took so long

Yup. No Windows 7 drivers for some I/O boards I play with, so when i have to use Windows it has to be Vista.

Why do people let BGR send them up?

How is this any different than the iPhone Cacheing images of recent web pages?

Well, at least it's a story containing the words HTC Incredible. It's a start, so I'll take it. On the lighter side, I like how this is a "security concern" while iphones have far bigger issues than anything found on Android thus far. Rickroll ftw!

I buy that it's "similar" to what IE and Firefox do on a PC. BUT, the difference is there you can send a "clear cache" command and all that data is erased. That apparently doesn't work here. So it DOES need to be fixed, so that there is a quick/easy way to clear all user browsing data, without having to go into a file manager and manually delete it.

Jerry, thanks for the story but i tried your method of putting in a blank text file on my EVO's sd card and it didnt work. and yes i erased the folder and did everything that is on the last paragraph of instructions.

You're trying to excuse the inexcusable. Look, I understand you guys are android fanboys, but you need to actually recognize that this is a significant issue with how Sense handles the browser thumbnails.

Yeah, the examples you gave are innocent. But what about when it screenshots a page that shows your bank account numbers? Or credit card information? Or any other sensitive information?

The biggest issue here is that HTC did NOT ask the user if it was okay for this to occur, when it should have been. The biggest issue is that HTC did not tell ANYONE that this was occurring behind the scenes. When it comes to capture of user data, even innocuous data, the company has a responsibility to notify users.

You guys would excorciate any other smartphone if the situations were reversed, so you should do it as well in this case.

Behind the scenes?
I call clearly visible in the users dedicated media storage, (where they have read/write access without any need for synchronization software) as well as a huge honking 4x4 widget with the pictures on it available for the homescreen pretty damn upfront.

All modern browsers cache data. You don't see me blasting any company about it. If it bothers you so much, better go grab lynx and stay safe. Or better yet, unplug.

Jerry, thanks for the story but i tried your method of putting in a blank text file on my EVO's sd card and it didnt work. and yes i erased the folder and did everything that is on the last paragraph of instructions.

Did the user know it was occurring? Did the user give permission?

If not, then you have no reasonable stance for defending thi.

This is probably a minor issue, but there is still an issue here. The failure for this folder to be wiped at a factory reset (and yes, I know why it is not, but it wouldn't hurt anybody for the browser to clear this folder when the browser is launched for the first time after a factory reset) means that somebody selling an Incredble, Hero, Eris, Evo, etc., has the chance of some sensitive information being captured without knowing it will happen. You can clear the cache within the settings for the browser, but you cannot clear this web image store.

In looking in my folder on my Eris, this was more than bookmarks - I have few of those. This had an image of hundreds of websites to which I have surfed.

I am sure that there was nothing sinister here - this was clearly an unintended mistake, one that HTC never guessed would be an issue. Still, it is good for us as users to know about this, and I think that HTC should themselves publicize this on behalf of their users.

if you sell your phone without wiping phone storage, then you leaving whatever pictures, and other data that was saved to it on there as well.

it's no different than not wiping an SD card and giving that with a sold phone. you are responsible to wipe your data.

a factory restore won't wipe an sd card, same with internal phone storage, as that is totally separate from the ROM that gets wiped with a factory restore.

an annoyance? yes.

some kind of major security flaw? hardly.

and finally, should htc add an option to clear this folder in the settings panel of the browser? yes.

i would much rather this be my biggest concern compared to some company's server allowing other people to view my account when they try to order a phone.

Settings > Applications > Manage Applications > Internet (the name of the browser in Sense) > Clear Cache

Settings > Applications > Manage Applications > Bookmark Widget > Clear Cache

Either of these should clear the images, but neither of them do...

I haven't tried HTC Sense another option because I don't want to clear all of that data.

@Droid800

ZOMG!!!!!! whoa whoa whoa, if you're trying to tell me that looking at PII on a cell phone is not safe ... you just blew my mind!

If your concern is "I don't want people to see what I've been browsing" thats a valid concern.

If your concern is "I don't want people to see PII" ... STOP LOOKING AT PII ON A CELL PHONE!!!!!!!!!!!!!

P.S. I seem to remember the entire GSM encryption algorithm being cracked AND PUBLISHED ON THE INTERNET. Hope you were all over that/AT&T/T-Mobile as much as you're all over HTC

Google Search = GSM algorithm cracked ;)

My concern is neither of those actually. My concern lies in the fact that HTC did not tell its users that this was occurring, did not offer the option of turning it off, and did not make it easily removable if a user chose to allow it.

Have you looked at these thumbnails (do you even own a sense enabled phone). If you had then you would not have made such a stupid point unless the text on the page is quite large it is utterly unreadable. name me one site that features your sensitive info in type larger than this. As for HTC not telling you that it was caching pictures of your browsing where the FUCK did you think it was getting them. As has been pointed out modern phone and computer OS's have this - how do you think things like apples coverflow works - it is NOT a security risk. Certainly someone could look at these images and find out you had been on porn sites or whatever but if that is a worry to you use a browser that doesn't cache images.

Htc, Google, and Verizon could get your data anytime they wanted, if they had the motive. And far more easily than a bookmarking conspiracy. Move along, nothing too see here. And dont bookmark pages with your full bank info and other sensitive data in plain text.

I've seen this on my Eris every time I mount it to my laptop. I just delete the images, and that's it. Honestly, there are other concerns out there for us smartphone users. Remember the banking app on the Market that was actually malware a few months back? It was on the Market FOREVER before someone questioned it. Like the article says, read those permissions. An ad-less battery monitor app shouldn't need access to your phone contact info and your location (just an example, not a real app).

I'd be OK with this if it was ONLY bookmarks that were being screen shot. But when I checked my Incred there were definitely screen shots there that were never bookmarked. I don't mind clearing cache every once in a while, but I have 8 bookmarks and 77 images in the folder. Delete All. This needs to be fixed!

The other day on this photo editing software I have it uploaded everything from my incred and put it in my laptop. I could jot figure out were all the thumbnails came from! But now I do