HTC to release urgent privacy fix for smartphones
HTC is to release an urgent update for several of its smartphones to fix a vulnerability which could leave personal information at risk.
The Android Police blog discovered that a user's GPS location and call logs could be easily accessed by net-enabled apps.
After investigating, HTC admitted the flaw could be "exploited by a malicious third-party application".
It said affected users will be notified of the update automatically.
"HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices," a spokesperson said.
Users will be able to download the fix over-the-air.
The company has not yet confirmed exactly which models are at risk, but it is understood that the EVO 3D, EVO 4G, Thunderbolt and potentially the Sensation range are all susceptible to the vulnerability.
Until the patch is released, the company urges users to "use caution when downloading, using, installing and updating applications from untrusted sources".
The flaw relates to a particular file which contains a vast amount of personal information including GPS location history, SMS data, phone logs and e-mail accounts.
End Quote HTC spokesperson
A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. ”
Apps can gain access to the file by requesting permission to access the internet - a common occurrence for apps that allow the posting of top scores or messages on social networking sites.
HTC said they have found no evidence that this flaw has been exploited for malicious purposes, but conceded it does pose a threat to the protection of the user's information.
The statement read: "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application.
"A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws.
"So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability."
The company said the patch will be released after a short period of testing, and users are urged to download the update promptly.
Artem Russakovskii, the blogger who made the flaw public, welcomed the quick action by HTC, but said he still had concerns over the manner in which large amounts of personal data are kept in the single file.
He wrote: "While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue collecting the same kind of sensitive data to be potentially reported back to HTC or carriers."