Android Central

Well, that was quick. Just a couple days after a so-called "massive security vulnerability" was discovered in a few HTC phones, the Taiwanese manufacturer says a fix is on the way. Telling Phonescoop:

"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability."

That's pretty much exactly how our own Jerry Hildenbrand explained this on Sunday. It's a fairly big gaffe (and likely an embarassing one for some coders somewhere), and it's good that it was brought to light. But the sky really isn't falling, no personal data is oozing out the microUSB port of your phone, and nobody was scaling any walls.

HTC says the patch will be pushed out over the air after carrier testing.

Source: Phonescoop


Reader comments

HTC: Fix is on the way for security flaw


Not saying I know a thing about rooting or custom ROMs, but I took from the comments on the last one that if you completely got rid of Sense then it isn't a problem and therefore you don't need the patch.

I wasn't going to root my wife's HTC evo shift but I did just to delete this logger. I don't want to do an over the air because that requires upgrading to gingerbread which causes HTC sense to reload the home screen all the time which is very annoying and she has no desire to upgrade. I wish we could be selective about which updates we want ota.

If you are rooted and running sense you can delete the htclogger apk with titanium backup which solves your problem. You might have to remove your battery because your phone will get stuck in a force close loop but when you reboot the app is gone and the phone works properly. At least that is my experience on Android 2.2.

HTC will release the patch soon then VERIZON will hold on to it forever... we MAY see it next year.... Thanks big V

What I love about this is that a group called The Android Police (like they are protecting us) publicly releases info on the bug so that idiots without a life can exploit it. If you are protecting us then quietly go to HTC and tell them and then once it is fixed release a statement along with HTC explaining what you found and how it was fixed ASAP. Until then The Android Police should change their names to The Typical Media Machine!

While normally I would agree, they did go to HTC. When they received no response (I think the article said they waited a week), they went public to put more pressure on HTC.

They probably could've left out the details of how to exploit it while still getting the same results though.

Thats not exactly what the article said. It said they received "no real response for five business days" after sending it to HTC on the 24th. The 24th was a saturday. Depending on who it was sent to I don't know if 5 business days is really log enough to wait especially if you are beginning the communication on a saturday. This also appears to be a violation of the RF policy they claim to follow. HTC did seem to respond but they either did not like the response ($5 says it was "we're looking into it") and they released the info anyhow even though the RF policy says any response is required. So yeah I think they set it up on purpose to act like they were beig nice, but not really being nice.

That file is non-existant on my MikG ROM. I'm guessing most of the custom ROMs have it stripped out as "bloat".

I wonder why are phones left so vulnerable to such security and malware attacks. Is the patch for all HTC phones international or only for US carriers