Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Interesting Squid Recipes |
| Isaac Asimov on Security Theater »
October 3, 2011
HTC Android Vulnerability
Custom HTC firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization.
Posted on October 3, 2011 at 6:35 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Actually, it's not a custom firmware but rather the official Android version by HTC that has that backdoor..
Besides I read somewhere that it is only in the version created for U.S. market. If that claim is correct perhaps it is not a "bug" but works as designed.
That would be motivation enough for me to install Cyanogenmod. The latest version has options that not only actually enforce the proper security controls, they actually let you revoke permissions from apps that supposedly require them. I don't think that 'use your camera LED as a flashlight' app actually needs SD card access, but without Cyanogenmod your only choice is use the app or don't.
I was never a fan of the Sense interface anyways. It seems like everybody hates the manufacturer-specific Android skins. Here's an even better reason not to use them.
Like one commenter said, many custom ROM's actually increase the security of the device by allowing permission revokation & other restrictions. Custom ROM's with Superuser access also allow the installation of 3rd party security-oriented apps.
The article was looking at Sprint only; it is quite possible that other carriers pushed a similar OTA update that produces the same exposure. I'm running CM7, but my wife still uses HTC Sense. I've sent her a link; perhaps this will finally get her to make the jump.
Looking at my phone:
Verizon Thunderbolt level 1.70.650.0 (currently shipping for VZW) does not have the reported vulnerability. Running the POC application received "Unexpected Error" "Connection Refused".
Further, the "/system/app/HtcLoggers.apk" file does not exist (or is hidden). The Eckhart/Case writeup implies that it will be visible.
This Android release is Froyo. In theory, a Gingerbread version exists and could be distributed soon by VZW.
The problem is the HTC custom tracking software doesn't sandbox its collected data from other installed apps. Nothing to do with Android, everything to do with HTC Sense.
So HTC have an app that records your email passwords... and uses TCP local loopback (at least its not public! Or is it?) to make it available (rather than the proper Android services mechanism complete with process policing).
Why have they started installing this on devices again?
Well, who needs Chinese government APT's if corporations are already doing their bidding for them ? Downloading upgrades that turn your device against you. Reminds me of Will Smith in "I Robot".
Rooted HTC Incredible on Verizon, can not find the HtcLoggers.apk file. So it's either not an issue with the Incredible, or not an issue on Verizon.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.