After coming under fire for putting its customers’ privacy at risk, after it emerged that recent updates issued to its handsets shipped with new logging tools, HTC has confirmed that it has identified a security issue on some of its Android handsets and has vowed to “quickly release” an over-the-air update to patch the flaw, the company said in a statement.
Part of HTC’s new updates revolved around a reference in its Android implementation called “android.permission.INTERNET”, which could possibly enable the harvesting of contacts, texts, emails, call log and recent GPS locations – as found by developer Trevor Eckhart and detailed by the team at Android Police.
Whilst HTC has confirmed the security flaw, it says that its software doesn’t pose a risk to customer data but it could potentially be exploited by a malicious third-party application.
The HTC statement in full:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
The Taiwanese smartphone giant hasn’t given a definite release date but will likely have identified ways to patch the issue and will be working with carriers to issue the update to customer handsets – a process that is expected to lengthen the time between the development of a fix and its eventual roll out.