(And it doesn't mean the sky is falling)

HTC

Update (Oct. 4): HTC says a fix is on the way. Original follows.

Another week, another bit of scary news that nobody is taking the time to properly explain.  This time it's more HTC data logging, and the way HTC is handling the data it collects.  Exposed in technical detail by Android Police, you'll see this spread all over the Internet for the next few days, so let's try to break down what is happening in simple terms we all can understand.

What's going on

When you first log in and set up your HTC Sense phone (so far this is only showing up on newer U.S. phones with HTC Sense), you're asked if HTC can collect and send data back home about your usage.  If you say "yes," it collects data about apps you're using, where and how your using them, and for how long -- then sends it back to the HTC mothership.  HTC has some use for this -- we figure it's to help see how to improve the next versions of HTC Sense.  That's not a bad thing.  If you opt-out, none of the data is sent back to HTC -- but that doesn't mean it's not still collected. 

Here's where it gets sticky.  HTC is collecting and logging data that lots of other apps also can collect, and we like it when they collect it.  Apps like alogcat (useful when everyone is looking for that OTA update link) or Sensorly collect device and network data.  But when you install those apps, you're told up front they are collecting potentially sensitive data.  HTC doesn't need to declare permissions to do this, because it's your operating system that's doing it, and not "just an app."  This data is then stored on your phone in a manner that other apps can get to it instead of being properly sandboxed.  We're not going to say where it's stored, or how to collect it (we don't promote that type of thing here) but the information is out there, ready for anyone else to use, and it's easy enough to get at. You just need to know where to look.  Some disruptive individual could write an app that mines this data, and sends back information to another server.  And after todays news, someone probably will.

What's being collected, and why the sky isn't falling for everyone

The next question you'll ask is "What kind of data is HTC collecting?"  It's not collecting passwords.  It's not collecting the text of any SMS message or IM you're sending.  What it is collecting is data that is unique to your phone (IMEI and device ID), your account names, geo-location, and phone numbers from your call logs.  If you're technically inclined, run a logcat locally to get an idea of the type of data that's available -- this is the kind of information HTC is storing.  How sensitive you consider this type of data can to be is something for each of us to decide.  Nobody can steal your bank password here, but they can know where you were the last time you used your GPS, and identify the device that did it.

So how to fix it?  Well, you can't if you're not rooted.  This is all part of your phone's operating system, but it is part that can easily be removed if you have the right permissions to remove it.  Head into the forums and look for the threads that are already there about it, or start a new one if you don't see one.  The advisers and senior members will be happy to guide you along if you want to take matters into your own hands.  If you're not feeling the whole root thing, just be careful what apps you install until HTC fixes the issue.  We hope that's soon.

The short, short version

HTC is collecting usage and system logs locally, as in on your phone.  It's stored in a way so that other apps can possibly access it and no longer have to collect it from the system in the normal way, properly declaring that it's doing so in the process.

Is this the end of the world?  Probably not.  And we're willing to bet this isn't a malicious act on HTC's part. But it certainly does raise a few eyebrows.

And it's something HTC needs to fix, and soon.

 

Reader comments

HTC collecting data in U.S. phones with HTC Sense, storing it in a very sloppy way

32 Comments
Sort by Rating

@ Gekko

Did you even read the linked Android Police article?? This isn't about HTC logging, as you put it, just battery stats. HTC logs absolutely everything you do and stores it in an unencrypted file that can be accessed by ANY app on the market with internet access (which almost all of them have).

Do you not care that HTC's poor coding in this regard allows any app on your phone to see your last 10 locations, display your ESN and MEID, read your emails and contact history, etc without permissions and allowing them to mine your personal data and send it off to a location of their choosing without your consent or knowledge?? Cuz I do.

This is equivalent to the IRS mistakingly posting your tax return online for anyone to see, thereby allowing people to see your SSN, address, income and dependents, etc...

The data cannot be accessed by any app on the market. It COULD be accessed by any app that requested INTERNET permissions, but only if the app was coded maliciously.

And as to the IRS analogy, I would equate it more to the IRS visiting your house and leaving your tax return on the table. Your new neighbors come over that you have never met and you invite them in to be polite and while you are not looking they read and take pictures of said tax return. HTC is not posting it online for everyone to read and it will only matter if an app is written to take advantage.

To that end, I do agree that HTC put something on the phones with a security hole in it, but I highly doubt they intentionally made it that way. That would be bad business, especially with all the security concerns as of late. I do feel, however, that if you opt out, they should not be logging it at all, even just locally if it is remotely accessible. Logging on device is fine, but store it safely and ask EACH time it is being transmitted, similar to crash reports asking to notify.

This isn't at all equivalent to the IRS listing your tax return online for everyone to see. Your data isn't posted online, it's on your phone. A malicious app designed to steal HTC user data would be required for anyone to steal your info. Also this isn't your SSN, bank passwords, or other sensitive data. It is exactly what was described above. Hyping up a problem doesn't help solve it, it just muddies up the water.

Is this a problem...yes. Is it something to worry about...maybe. Are we going to give up on HTC phones....AH NO!!!!!!!!!!!!!!!!!

The sky doesn't have to fall for it to be a bad thing. All an unfortunate side effect of a generation of lazy, the world owes me, mentality. Privacy matters and intrusive corporate behavior eventually means consumers lose.

Correct.  I can't fault anyone who feels this is a serious issue, nor people who aren't concerned.  The data is what is is, and some will care more than others.

It is something HTC needs to address, and I think everyone can agree on that.

Isn't the Android OS doing the same?
As I recall, Google was under the spotlight recently because of this

In fact a closed door congressional hearing is actively looking into both Google and Apple because of privacy concerns

citation needed.

The only thing I could find on the congressional agenda was a hearing on Google Search. Its hardly closed door. You can watch it right here.

You are missing the point of the news. You *can't* opt-out of it gathering this data and storing it in a way that other apps can access it.

Just to let you know if you rum miui or cm7 they do the same thing. But something tells me their code isn't as sloppy. Nothing to worry about as long as you trust the people collecting the info. I always opt in for them to collect data as it helps make a better product. Just remember its a phone and it can always be lost or stolen so don't keep anything too important stored on it and if you do make sure you have a way to remote wipe your phone.

Sloppy enough. The fact that the video and app prove that opting out does NOT opt out is more than enough for me. This could have been discovered by a hacker with malicious motives instead of someone who has brought it out in the open in hopes that theis serious security hole gets fixed.

This is exactly why manufacture skins should be optional on Android. HTC, LG, Motorola, etc. and not saying they all do it, though it is likely, but with possible information leaks and privacy loop holes these skins are probably the cause of it. If these skins were optional it wouldn't affect such a high number of devices and even if it did affect these devices, you could uninstall the launcher(skin) application until it was fixed. Bam problem solved!

If the info HTC is collecting is any where as inaccurate as the info about me on www.spokeo.com, then I have nothing to worry about. They had me down for being 50, I'm 30 and my dad as 30 when he's 51, 5 people in our family only 4 and about $70,000 short on my dads income.I'm also married and don't live there anymore. So I'm not to worried. I'm haven't be abducted my aliens yet...lol

I dropped Sense a little while ago (for Go Launcher EX). Does this mean I won't be affected since I don't use Sense?

You are still affected if you are not rooted and running non sense version of android. So unless you are running a custom rom of the aosp flavor, your data can still be accessed, and even with an aosp rom it probably still can be accessed just not as easily. But as the article says it's nothing that important imo.

Just because you are not using the Sense launcher does not mean Sense is not running. It is a part of the OS unless you installed a custom non-Sense ROM. If you go to the original Android Police article - http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-i... - there is an app where you can test to see if you are vulnerable (you can trust it - the app doesn't send anything, it just displays it for you to see or gives an error). If the app shows you logs, then you are affected. Newer Sprint HTCs seem to be the most prevalent, but there is the T-Bolt on certain SW versions and the myTouch 4G Slide so far discovered. The file is in the upcoming Vigor leaked build, but that is another story.

spoke to htc and they have no comment until a press statement is released. verizon is swapping out my tbolt for a droid charge....THANK YOU verizon! this is the last htc device i buy.

meh, I'm not too worried about it. Just watch out for what apps your installing.

And you don't have to wait for HTC to acknowledge it, just root and rename /system/app/HTCLoggers.apk to /system/app/HTCLoggers.apk.bak and you're good.