Woo October 3, 2011 7:19 AM

Actually, it’s not a custom firmware but rather the official Android version by HTC that has that backdoor..

Homeland Security Dept. October 3, 2011 8:40 AM

Besides I read somewhere that it is only in the version created for U.S. market. If that claim is correct perhaps it is not a “bug” but works as designed.

Stupid Security Questions October 3, 2011 9:31 AM

That would be motivation enough for me to install Cyanogenmod. The latest version has options that not only actually enforce the proper security controls, they actually let you revoke permissions from apps that supposedly require them. I don’t think that ‘use your camera LED as a flashlight’ app actually needs SD card access, but without Cyanogenmod your only choice is use the app or don’t.

I was never a fan of the Sense interface anyways. It seems like everybody hates the manufacturer-specific Android skins. Here’s an even better reason not to use them.

Nick P October 3, 2011 10:45 AM

Like one commenter said, many custom ROM’s actually increase the security of the device by allowing permission revokation & other restrictions. Custom ROM’s with Superuser access also allow the installation of 3rd party security-oriented apps.

jggimi October 3, 2011 10:49 AM

The article was looking at Sprint only; it is quite possible that other carriers pushed a similar OTA update that produces the same exposure. I’m running CM7, but my wife still uses HTC Sense. I’ve sent her a link; perhaps this will finally get her to make the jump.

HiTechHiTouch October 3, 2011 11:57 AM

Looking at my phone:

Verizon Thunderbolt level 1.70.650.0 (currently shipping for VZW) does not have the reported vulnerability. Running the POC application received “Unexpected Error” “Connection Refused”.

Further, the “/system/app/HtcLoggers.apk” file does not exist (or is hidden). The Eckhart/Case writeup implies that it will be visible.

This Android release is Froyo. In theory, a Gingerbread version exists and could be distributed soon by VZW.

krez October 3, 2011 1:28 PM

The problem is the HTC custom tracking software doesn’t sandbox its collected data from other installed apps. Nothing to do with Android, everything to do with HTC Sense.

Will October 3, 2011 5:00 PM

So HTC have an app that records your email passwords… and uses TCP local loopback (at least its not public! Or is it?) to make it available (rather than the proper Android services mechanism complete with process policing).

Why have they started installing this on devices again?

Dirk Praet October 3, 2011 6:54 PM

Well, who needs Chinese government APT’s if corporations are already doing their bidding for them ? Downloading upgrades that turn your device against you. Reminds me of Will Smith in “I Robot”.

WhiteFox October 5, 2011 1:29 AM

Rooted HTC Incredible on Verizon, can not find the HtcLoggers.apk file. So it’s either not an issue with the Incredible, or not an issue on Verizon.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.