Ouch. Body shot. Boom. The Federal Trade Commission have slapped HTC for the security issues on many Android handsets made by the company.
The FTC complaint states that…
HTC (..) customized its Android-based mobile devices by adding and/or modifying various pre-installed applications and components in order to differentiate its products from those of competitors also manufacturing Android-based mobile devices.
Until at least November 2011, respondent engaged in a number of practices that, taken together, failed to employ reasonable and appropriate security in the design and customization of the software on its mobile devices. Among other things, respondent:
(a) failed to implement an adequate program to assess the security of products it shipped to consumers;
(b) failed to implement adequate privacy and security guidance or training for its engineering staff;
(c) failed to conduct assessments, audits, reviews, or tests to identify potential security vulnerabilities in its mobile devices;
(d) failed to follow wellknown and commonly-accepted secure programming practices, including secure practices
that were expressly described in the operating system’s guides for manufacturers and developers, which would have ensured that applications only had access to users’ information with their consent; and
(e) failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics or other members of the public, thereby delaying its opportunity to correct discovered
vulnerabilities or respond to reported incidents.
HTC could have prevented this by including simple, well-documented software code —“permission check” code
Put simply, the pre-installed apps weren’t secure. Now, it might be difficult to understand this but this paragraph perhaps describes the consequences best. The voice recorder app is used as an example..
Because HTC failed in numerous instances to include permission check code in its custom, pre-installed applications, any third-party application exploiting these vulnerabilities could command those HTC applications to access various sensitive information and sensitive device functionality on its behalf—including enabling the device’s microphone; accessing the user’s GPS-based, cell-based, and WiFi-based location information; and sending text messages—all without requesting the user’s permission.
The result is that HTC have to provide a patch within 30 days and they will be subject to a security review for the next 20 years. Yes, 20 years. Sure, it’s applicable only in the USA, but this is not what HTC needs right now.
Link – FTC