HTC settles with FTC on charges it failed to secure logging data, exploitable flaws on millions of devices

HTC settles with FTC on charges it failed to secure logging data, exploitable flaws on millions of devices ...

HTC America has settled a case with the FTC today over failing to patch a vulnerability that allowed access to data from logging applications like Carrier IQ and its own tool called HTC Loggers. The case also took HTC to task for not correcting ‘programming flaws’ that allowed third-party apps to bypass Android security.

The settlement, embedded below, requires HTC to develop and release software patches for the vulnerabilities with the FTC says were found in ‘millions’ of HTC devices. HTC America will also have to set up a security program that is designed to address security risks during the development of new devices. The company will also have to undergo an independent security assessment every other year for the next 20 years.

If you’re unfamiliar with the Carrier IQ mini scandal, it popped up in late 2011, when a developer discovered software in Apple’s iOS that logged data including calls, text messages and the content of web searches, as well as a bunch of other diagnostic data. The software, later identified as Carrier IQ, an independent data logging and testing suite, was then discovered on Android phones from many manufacturers, including HTC.

In fact, many carriers including AT&T, Sprint and T-Mobile used the Carrier IQ software to test their network capacities and more. Many manufacturers quickly moved to blame those carriers for the software even being on the devices.

The FTC went after HTC America because it says that it “failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices.” In other words, the Android customizations that HTC implemented on its devices, including adding Carrier IQ and not securing the data were what got it in hot water.

The FTC’s strongly worded settlement document paints an ugly picture of the security precautions taken with this data gathering:

Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.

The issues that the FTC found would not only allow access to logging data but also the ability to run potentially harmful third-party apps that took control over things like text messaging, recording audio and more without user consent.

The settlement ‘prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices’. This could curb HTC’s ability to tout safety and security as features of its devices in promotional material and manuals.

Though the blame falls on HTC solidly in this FTC settlement, Android doesn’t come away completely unscathed. It’s mentioned a bunch throughout and is likely on the radar of those regulatory organizations most keen on nailing software or hardware makers who fail to take decent precautions in protecting user data.

Image Credit: AFP/Getty Images

Read next: Suitcase Startup episode 3: Top tips for pitching to angel investors