HTC 'investigating' security flaw uncovered by blogger

Image caption,
The flaw is believed to affect several models, including the EVO 3D released earlier this year

HTC is investigating claims that a security flaw in several of its mobile phones means personal information is being exposed.

The Android Police blog says a file containing a user's GPS location and email addresses can be easily accessed once internet permissions are granted.

Several models are said to be affected, including EVO 3D, EVO 4G, Thunderbolt and potentially the Sensation range.

HTC said it is looking into the claims "as quickly as possible".

"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," the company said in a statement.

"We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

Systems administrator Trevor Eckhart produced a proof of concept app designed to show off the vulnerability.

By simply asking a user's permission to access the internet - a request popular with games apps seeking to post scores online - the app was able to access a file named "HtcLoggers.apk".

The file contained several key pieces of personal information, including:

  • The list of user accounts, including email addresses
  • A log of recent GPS locations
  • Phone numbers taken from recent call logs
  • SMS data, including recent numbers and encoded messages

The Android Police blog described the risk as "like leaving your keys under the mat and expecting nobody who finds them to unlock the door".

Rik Ferguson, director of security research and communications at Trend Micro, believes the risk should be an easy one to solve.

"It sounds like something very simple to patch," he told the BBC.

"They didn't anticipate that kind of information would be of interest. It's a lack of foresight rather than lax programming, I think. It should be something relatively easy to fix."

Related Internet Links

The BBC is not responsible for the content of external sites.