Some HTC Sense devices found to contain security vulnerabilityAlex Wagner - Deputy Managing Editor, News Desk
HTC users, take note: a new security flaw has been found in some Sense-enabled handsets that allows apps with Internet permissions to gain some sensitive data on your handset that's being collected by an HTC logging app. According to the folks at Android Police, newer HTC phones running Sense (like the ThunderBolt and EVO 3D) include an app called HTCLoggers that collects data like phone numbers in your call log, email addresses, and GPS location info and then sends all of that back to HTC. Users are given the option to not have the data sent to HTC upon first setup of a Sense device, but that doesn't stop the HTCLoggers app from gathering the info in the first place.
The problem is that HTC's app is built in such a way that any other app that requests Internet access could gain access to the data inside HTC's logs. Because of this, it would be possible for someone to create a malicious app that asks for permission to access the Internet and then specifically gathers the data from this HTC app and sends it back to their own server.
HTC has responded to the issue, saying, "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken." Android Police points out that owners of a rooted device can remove HTC's logging app right now, but those of you that aren't currently rooted can't do much about the issue until HTC takes action.
Although HTC's logging app doesn't collect things like passwords, it's still a little unsettling to know that a malicious app could gain access to some of your data because HTC's software doesn't block any ol' app from accessing it. When we hear more from HTC on the matter, we'll be sure to pass it along. Until then, be careful about which apps you download, and make sure to avoid anything that you feel is suspicious (which you should be doing anyway). Be safe out there, folks! A video of the vulnerability in action is below.