Vulnerability in HTC Android Devices Leaks Phone Numbers, Location, SMS, Emails Addresses, and More
According to a report from the AndroidPolice.com blog, Trevor Eckhart, Artem Russakovskii, and Justin Case have discovered that a recent update to HTC’s Sense UI software exposes a massive amount of personal information, thanks to the inclusion of new logging tools.
“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” Russakovskii commented.
The data exposed by the new Sense UI software includes a list of user accounts, including email account details and sync stats, last known network and GPS data, as well as limited history for each location, phone numbers from the phone log, SMS data, and other system logs. In addition, other details can be obtained by accessing the logging tools pushed by the recent update.
According to Eckhart, the vulnerability can be leveraged by any application on affected devices that requests a single “android.permission.INTERNET”, and by using that permission alone, can access at least the following:
• ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
• ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
• ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
• ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
• BATTERY_STATS Allows an application to collect battery statistics
• DUMP Allows an application to retrieve state dump information from system services.
• GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
• GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
• GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
• READ_LOGS Allows an application to read the low-level system log files.
• READ_SYNC_SETTINGS Allows applications to read the sync settings
• READ_SYNC_STATS Allows applications to read the sync stats
The “INTERNET” permission is normal for any Android application that shows ads, or uses the device’s data access to submit data or record things like game scores. AndroidPolice.com has currently singled out the EVO 4G, EVO 3D, HTC Thunderbolt, and also noted that the EVO Shift 4G, and MyTouch 4G could be vulnerable. They say that, in theory, it may be possible to clone a device using just a small subset of the information leaked.
HTC is looking into the reports, and said it would provide more information when available. Otherwise, no other comments have been made.
Those wishing to test their devices can use a proof of concept tool released by AndroidPolice.com, which can be obtained here. There is no fix for this problem other than to root the device itself or wait for a patch from HTC.
Related Reading: Mitigation of Security Vulnerabilities on Android & Other Handset Platforms