read the article, it is disturbing to say the least. Sprint C/S so far has provided me with NO help by phone. In fact a tech supervisor named "Tai" insists that this is IMPOSSIBLE. Without even reading the article. I believe this violates both Sprint and HTC privacy statements. the information acessible by any app circumvents the android permissions requirements for apk's. the amount of information provided by the exploit is vast. I am not quick to judge every supposed privacy violation as malicious, but this appears to be at the least negligent. I am quickly beginning to distrust Sprint, and HTC as they've not addressed it publicly, and Sprint at least so far has not even provided me with an individual who is qualified to understand threats like these.
2nd post from 1 contributor to the above article
Your answer from TAI is inexcusable and I am sure everyone at Sprint has seen this frightening news story. This is one that Sprint needs to address publicly by contacting all users with a fix within 24 hours. It IS serious and inexcusable that the fix is not already out.
From ARS Technica:
A security hole found in some HTC Android phones could give apps with Internet permissions access to information like a user’s location and their text messages, Android Police reported today. The vulnerability is part of HTC’s Sense UI and affects a subset of the brand’s most popular phones, including the HTC Thunderbolt and the EVO 4G.
The affected HTC phones have an application package titled HTCLoggers.apk installed with root-level access. Apps with Internet permissions can access HTCLoggers.apk, which provides access to information like GPS data, WiFi network data, memory info, running processes, SMS data (including phone numbers and encoded text), and system logs that can include information like e-mail addresses and phone numbers.
When called upon, the logging program opens a local port that will provide this data to any app that asks for it. Apps can send the data off to a remote server for safekeeping, as shown by a proof-of-concept app that Android Police researchers developed.
The authors note that the flaw can’t be fixed in the stock Sense UI without an update or patch from HTC. The owners of the relevant phones (a partial list: Thunderbolt, EVO 3D, EVO 4G, EVO Shift 4G) can delete HTCLoggers from their devices if they root the phones.
While the report doesn’t note any concrete examples of nefarious use of the HTCLogger data, this is far more access than Google allows via Android by default—typically, the OS doesn’t let information of this type off a device without direct consent. HTC has made no official reply to inquiries from the researchers, and did not respond immediately to Ars’ requests for comment.
I saw this this morning. The fact that HTC has known for 5 working days and not made a statement is inexcusable! As far as I am concerned, Sprint and HTC has broken my contractl. They have less than 48 hours to correct this before I go to end my contract. I have already changed all my passwords from my home computer and turned off all connections for sync except the phone updates. Ball is in Sprints court.
Thank you for the additional review provided. It is helpful to know that the story is being followed elsewhere. As to "Tai", the individual seemed to stop short of giving me a real name, or even a "known by" name, which could be understood as a matter of personal privacy of members of call center support, but that was what they gave me. If anyone at Sprint would like information on call time, all they need to do is show interest. It will be interesting when I call again later today, to see if "Tai" even created a record of my complaint. Further regarding the C/S side of my complaints, I repeatedly asked "Tai" to forward me to someone in tech, as I did not believe that "Tai" sounded like someone who had the foggiest clue about anything technical. Example: when I stated that HTC included "code" with the current software for the EVO that left it vulnerable, "Tai" was quick to tell me that HTC would not have included "codes" (as if I were referring to some sort of password or trigger malicious activity), and I had to explain what I meant by "code" by referring to it as software. This prompted "Tai" to assure me that HTC could never have done that.
When I insisted to speak to a supervisor, I was told that "Tai", was the tech supervisor, and that I would not be able to speak to anyone else. I repeatedly asked for a number or email address for someone who could help me because my complaint was not being handled at all.
I believe this breach is genuine, and further I believe based on the singular fact that I have made attempts to inform the uninformed, and requested technical help on the matter, that Sprint is now knowingly violating their own privacy statement, and as such are effectively in breach of our two year agreement. As they would see fit to penalize me for such a violation, I am considering discontinuing my service with them. If I were to do this, they would surely attempt to charge me a fee for early termination, and I would then be able to take the matter to a court contesting the validity of that charge. My experience with Sprint C/S up to this point has beer adequate if not good. It would be a shame for 15 months of service with them, if they dismantled my trust over something so important to cellular customers nationwide, as the matter of privacy continues to be.
The information being gathered on my phone accessible to any developers software, is being stored poorly, and was not done with my knowing consent. The Android permissions are in place for a VERY GOOD REASON. With this being said, I would think Google has a horse in this race as well. Without the trust of all involved from the consumer, Android, HTC, and Sprint, the continued success of this beloved platform would be placed in question, probably quite rapidly.
I remain anxious to see a response from Sprint, as I have already placed a phone call, and intend to again today. I also created a ticket with HTC, and will report what I discover when I am contacted by them.
I am a member of multiple Android support forums with memberships in the millions collectively. My next step will be to move this discussion outside of Sprints walls. And don't doubt my willingness to share my experience with those on iphone and Apple forums as well.
I wouldn't be so aggravated if not for the condescension, and lack of qualification from "Tia" during my first conversation with Sprint on the matter. I simply continue to get angrier with each passing thought, and description to others about my phone call experience.
Another update issue! I've said it in other posts and Ill say it again here. There are obviously too many flavors of Android required to match all the kludge of hardware for Andriod phones. I liked My EVO... for the first year. It's still OK but hasn't been he same since the last update, and I did a complete factory reset beforehand. Look at the other phones having issues with their updates. The LG Optimus is a nightmare for those owners who updated.
You can't really blame Sprint.
These updates come from the hardware makers because they have to be specific to their phones. Obviously they are doing a terrible job getting them right. Now this security issue for HTC. Do we really trust what another update might break on our phones?
iPhone is the answer. Same hardware, same software for everyone. It WORKS WELL! Plus it will sync with my Mac. I have been waiting for this a long time on Sprint. No brainer.
- - - - - -
Here's the version I read on CNET today about HTC security issues:
HTC Android smartphones including the Evo 3D, the Evo 4G, and the Thunderbolt contain a flaw that gives Internet-connected apps installed on the devices access to personal information such as text message data, location info, e-mail addresses, and phone numbers, according to a trio of security researchers.
Researcher Artem Russakovskii says that he, Justin Case, and Trevor Eckhart have discovered a vulnerability involving logging tools that HTC recently installed on the devices during a software update.
Such tools, Russakovskii writes, might normally be used for remote analysis of problems on a device, among other things. But the problem here is that, because of this purportedly misguided update, "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the Web or shows ads)" can, Russakovskii says, get access to:
• "the list of user accounts, including email addresses...
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info"
For now, the only way for users to address the issue is to wait for a fix from HTC or to jailbreak the phone and remove the logging tools, according to Russakovskii. He advises owners of the devices to be especially vigilant about downloading suspicious apps.
I have a couple friends of mine that have Verizon (who both had the HTC Thunderbolt), and in light of this privacy threat, Verizon gave them both the new Droid Bionic phones when they called and complained. I would like to see if Sprint would be willing to do this with one of their phones, perhaps the Galaxy S II?
I've had Sprint since 2004, and I would really hate to switch to another carrier because they are too nieve to address the issue and protect their customers.
HTC is aware and on it already.
shaunofthedrums, thanks for the info on Verizon replacing the phones of your friends. I will give Sprint a call and see if I have any luck, not holding my breath. If anyone is able to get a phone replacement out of Sprint, please post details. I will do the same.