HTC America is a leading manufacturer of smartphones and tablets using the Android, Windows Mobile, and Windows Phone operating systems. The company’s motto is “quietly brilliant.” But based on an FTC lawsuit challenging the company's security practices, consumers might be surprised to find out their devices have also been “quietly vulnerable.” To settle the case — the FTC’s first against a device manufacturer — HTC has agreed to a far-reaching settlement that imposes a first-of-its-kind remedy: patching vulnerabilities on millions of mobile devices.
Where did HTC go wrong? The 10-word summary of the detailed complaint: The company didn’t design its products with security in mind. For example, HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices, and didn’t even respond when warned about flaws in its devices. As a result, in the process of customizing its products, HTC introduced numerous security vulnerabilities that malicious apps could exploit to gain access to sensitive data and compromise how the device worked.
You’ll want to read the complaint for the details, but one vulnerability involved HTC’s implementation of two logging applications — HTC Loggers on its Android devices and Carrier IQ on both Android and Windows Mobile devices. Logging apps (which have nothing to do with lumberjacks) collect data used to diagnose device or network problems. Because the information they access can be sensitive, it’s important that they communicate securely. But according to the complaint, HTC bypassed well-known, safer alternatives and used less secure methods. The result? Any third-party app on a user’s device that could connect to the internet also could communicate with the logging apps. That allowed for unauthorized access to users’ phone numbers, browsing histories, the numeric keys they pressed, contacts’ numbers, and other info best kept secure.
Furthermore, the FTC says that when HTC installed Carrier IQ on its Android devices, it shipped the devices for sale, but forgot to turn off the “debug code” used to test the logging application. Because of that mistake, all of the sensitive user data logged by Carrier IQ was also written to the device’s system log, which was accessible to any third-party app with permission to read it.
But that’s not all. The FTC also charged that HTC undermined the security protections built into the Android operating system. The Android operating system protects certain sensitive information, like a user’s location or the contents of texts, through a "permissions"-based model. Before installing a third-party app, the Android system tells what sensitive information or functionality the app says it needs to work properly. The user then has to accept those permissions to complete the installation. The same holds true for certain device functions — for example, recording conversations through the microphone or taking photos with the camera.
Unfortunately, HTC pre-installed custom apps (which consumers had no option to remove) on its Android devices that undermined the permission-based security model through a vulnerability known as permission re-delegation. That happens when an app that has access to sensitive info gives an unauthorized app the same access. (The analogy isn’t exact, but it’s like giving a friend the combination to a safe only to find out he’s handing it over to anyone who asks.) For example, under the Android framework, a third-party app has to get a user’s permission to access the device’s microphone. But HTC pre-installed a custom voice recorder app that, if exploited, would give any third-party app access to the mike even if the app hadn’t asked for the user’s permission. Think of the possible consequences: malware that could secretly record your phone conversations or track your location. It also opened the door to things like toll fraud, the practice of sending texts to premium numbers and charging users’ phone bills without their consent.
It’s a security hole the FTC says would have been easy to plug by using "permission check" code, a simple method for making sure the third-party app has the necessary permissions. Just an isolated risk on a few phones? According to the FTC, these vulnerabilities affected more than 18 million HTC devices.
It didn’t stop there. The FTC says HTC pre-installed a custom app that could download and install apps outside of the normal Android permission process. Again, the company failed to use simple code to fix the security gap — and that lapse could have been exploited by third-party apps to install unauthorized apps onto the device. That means that all kinds of malware could be downloaded and installed on a device without the user's knowledge or consent.
Count 1 of the complaint charges that HTC failed to use reasonable and appropriate security practices in the design and customization of the software on its mobile devices. That, alleged the FTC, was an unfair practice.
Count 2 addresses statements in HTC's Android manuals that users would be notified before installation when a third-party app required access to personal info or certain functions and settings on the device. The FTC charged that HTC’s security vulnerabilities rendered that promise false or misleading.
Count 3 deals with statements made by HTC’s "Tell HTC" tool that reports log info back to the company in case of a crash or error. The tool claimed to give people a choice to check a box that said "Add location data." But even if users didn’t check the box, the security vulnerabilities introduced by HTC meant that their GPS-based location info was sometimes collected regardless. So according to the complaint, what the company said about its Tell HTC tool was false or misleading.
If you have clients in the mobile marketplace, read our next post for more on the HTC order — including details of the ground-breaking remedy and insights into what the case means for your business. In the meantime, here are three need-to-know nuggets:
- If you have an affected device, the good news is that security patches are being deployed. It's wise to apply the updates ASAP.
- Need answers now? FTC staff will host a Twitter Chat about the HTC settlement today from noon to 1:00 ET. Follow @FTC and tweet questions with the hashtag #FTCpriv.
- Mark your calendar for June 4, 2013. The FTC is hosting a national forum on security threats to mobile devices that you won't want to miss. More about that soon.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.