• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Big HTC flaw!!!!

R

riosgeovanny

Member
http://m.gizmodo.com/5845867/massive-htc-android-vulnerability-leaves-security-expert-speechless
Im not sure if links work. Check gizmodo for android flaw if it doesnt. Big new. Wow...
 
I saw a similar article today here: HTC Android phones may have “massive security vulnerability” | VentureBeat but I do not know enough about code, Android OS, HTC Sense and/or how this risk really manifests itself in the real world. This is my first Android device and I have had it since day 1 release (recently replaced with a factory refurb due to issues). I live in a fairly remote rural area so I suspect my risk may be less than others but I have been in various urban areas with this phone.

I look forward to seeing what more knowledgeable users have to say about this. on the face of it - it sounds absolutely inexcusable as HTC has been making Android devices since the launch of the Android OS.

I hope this thread does not launch into a barrage of blind speculations and responses stick as closely as possible to factual information. too often things like this can get blown out of proportion with wild uninformed speculation. There are plenty of extremely knowledgeable people here who will know the FACTS - so I hope they will post here and educate those of us who do not know, need to learn, and not let our imaginations get carried away from uninformed speculative posts.

Thanks in advance to the many helpful and knowledgeable people who post in this forum. I, and I am sure many others, have benefited greatly from your generous sharing of your time and knowledge.
 
I certainly hope HTC steps up and fixes this identified and confirmed problem.

I love their phones and sense.

Hopefully meaningful change comes, to how they test and release updates, with the identification and fixing of this serious flaw.

-Sev
 
The security "flaw" article is a big stinking pile of B.S.

Go into Applications->Manage Applications and find the HtcLoggers item.
Clear its data by pressing the "Clear" button.
Process doesn't get run again, data stays gone...it was probably only logging during the update.

I tried to connect to HtcLoggers, but the item requires root permission to run.
I even downloaded the proof-of-concept APK on my stock GB TBolt. I got the following result:

Unexpected exception:
/127.0.0.1:65511 - Connection refused

NONE of the tools interfaces are exposed to NON ROOT (i.e., STOCK) users.
ROOT users, as always, can remove the app, but no app can run this without root permission. The internet is just a big echo chamber, and nobody does fact-checking on the blogs. And how, pray tell, do they "know" this exploit exists on Vigor, as well, when they didn't even verify the Thunderbolt.
 
Puppa said:
The security "flaw" article is a big stinking pile of B.S.

Go into Applications->Manage Applications and find the HtcLoggers item.
Clear its data by pressing the "Clear" button.
Process doesn't get run again, data stays gone...it was probably only logging during the update.

I tried to connect to HtcLoggers, but the item requires root permission to run.
I even downloaded the proof-of-concept APK on my stock GB TBolt. I got the following result:

Unexpected exception:
/127.0.0.1:65511 - Connection refused

NONE of the tools interfaces are exposed to NON ROOT (i.e., STOCK) users.
ROOT users, as always, can remove the app, but no app can run this without root permission. The internet is just a big echo chamber, and nobody does fact-checking on the blogs. And how, pray tell, do they "know" this exploit exists on Vigor, as well, when they didn't even verify the Thunderbolt.
Click to expand...

Sorry, the data exposed by this app will recreate itself with each text message you receive, call you make, location lock the phone does... clearing it is a short term solution but unless you are going to make an apps that is constantly clearing this after the phone does anything that solution doesn't work.

As a user without root access sure you can't get into the correct part of the phone to view/edit the files it is collecting but who said users can do everything an app can do. Basically this is creating a file on the internal memory of your phone that can be accessed by any app, this data can then be transmitted to a server by the app that read the data given it has permission to use the internet.

I would also guess that if you were to restart your phone the logger would start running again upon boot. As to the statement about unreleased phones having the flaw if you look at the androidpolice article they have question marks beside them as they are unconfirmed by the site.

If you think you have solved the problem and it is no longer affecting your phone then I would suggest instead of just posting your "fix" here but submit it to one of the sites that is reporting on this, I would suggest android police to let them test your theory, if it works I am sure they will give you credit for coming up with a fix that many other's couldn't.
 
SeekerOfTheWay said:
So what can non rooted users do? Constantly clear the app? Turn off location or sync?
Click to expand...

Root...really that is the easiest solution to get rid of this, root and delete the apk. Most roms will have this omitted from future releases if they weren't already.

If you are unwilling to do that or unable to (don't have a windows or linux machine) then I really wouldn't worry that much about it, too much of a PITA to go clearing data that often and be careful with what you download. I really wish HTC woud have responded to the discoverer's initial report instead of doing nothing then this would have been less public and people looking to steal data would be less likely to know of this being out there.
 
Yeah at this point there isn't a way to combat it without root access. As much as I hate task killers you could look into something like watchdog to put a kill on the logger apk and processes to see if it would kill them for you whenever they decide to launch. Hopefully HTC will address this and provide more info as to why it is around. I think I would opt to have it running and choose not to worry about it over running a task killer personally if I was in your shoes.
 
Yeahha, Thank you for helping us to get at least some clarity on the situation. You are often very helpful in this forum. I wonder, if they (VZW/HTC) ever get GB sorted out and stable for download - is there any chance they solve this exposure with GB?

If so, and as long as GB is on the table getting worked on RIGHT NOW, it seems that might be a good way to solve it across the board. I would imagine all T-bolt users will likely upgrade to GB as soon as it is finally stable.
 
I am afraid VZW will not address this they do not have any responsiblity to this, it is all on HTC, if they do the right thing they will either give reasons why it is on there and offer a way to turn off the logging feature. However I am not about to try to lead anyone to think HTC will do the right thing. This issue spans several phones so it isn't just VZW but also other carriers, remember carriers just approve updates the OEM produces them and should be held responsible for things like this.

This is not an issue with the OS but something HTC has decided they want on the phones they produce. I am also on the lookout for the icrowd starting to claim that this proves Android is a lesser OS.

I think this is a BIG reason to root if you are on the fence (you can run a stock rom but remove this apk), I know after this and some other issues that have come from HTC and tracking what users are doing it will be hard for me to buy another HTC device if I can't root it the day I purchase it, Samsung is looking better and better
 
Tryn2getaclu said:
Please excuse my lack of familiarity (not experienced with code, rooting or any sort of programming alterations), but what is this? Is it something which can be run on non-rooted devices? Easily downloadable? Any side effects and/or other impacts on non-rooted functionality?
T.I.A.
Click to expand...

CM7 is a ROM. You must be rooted to change ROMs. :-(
 
Tryn2getaclu said:
Please excuse my lack of familiarity (not experienced with code, rooting or any sort of programming alterations), but what is this? Is it something which can be run on non-rooted devices? Easily downloadable? Any side effects and/or other impacts on non-rooted functionality?
T.I.A.
Click to expand...

To be a little more indepth rooting allows you to modify any file on the phone and you can install custom versions of the OS, these are called roms. The security flaw is in a part of the phone that you can not edit on a non-rooted phone, it is part of Sense. CM7 is a rom based on google's source code not HTC's so there are no elements of Sense present in CM7. You could very easily download the CM7 rom on a non-rooted phone but you couldn't do anything with it.
 
It is my understanding that this "Flaw" affects those of us running stock Froyo. However I cannot find HTCLoggers anywhere in Applications->Manage Applications->All. What am I missing?
 
It would be a system app, not sure if it will show up under manage application as there are many apks that don't if they are system apps, look into running processes as well.
 
You must log in or register to reply here.
Back
Top Bottom