HTC America has settled with the FTC (Federal Trade Commission) over concerns that the company put millions of customer's personal information at risk with insecure implementations of software on its devices. The FTC found that HTC did not take a reasonable amount of care in implementing best coding and security practices when creating software for its devices, having this to say:
"[HTC] failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties."
Those are some pretty strong words for the company, but where it really hits home is the consumer-facing issues that were caused by this lack of oversight. The FTC explains that HTC's implementation of Carrier IQ and HTC Logger on its devices left customer data vulnerable to attack, alongside errors that would let third parties bypass Android's built-in permissions system.
The second part of the FTC's complaint is that it finds HTC was deceptive in telling consumers about the security risks of its software implementations, stating that the device user manuals and interface of the "Tell HTC" app were misleading. Both of these issues in implementation are said to have undermined the normal consent mechanism of Android that would have kept user's data safe.
So what does this mean for HTC? The FTC is requiring that the company develop and release software patches for its devices that are affected with these vulnerabilities, and HTC has said that it has already released some patches at this point. Furthermore, HTC will have to submit to "independent security assessments" every 2 years for the next 20 years. HTC will also be forbidden from making misleading statements about the security of its devices and user's data going forward.
This is a pretty big finding from the FTC, but isn't necessarily uncommon. Although their may not have been widespread exploits that were taking advantage of these security holes, it's important that HTC is going to be making changes to help security going forward. Though we would have preferred if HTC was implementing best practices in the first place, rather than it coming to an investigation by the FTC.