As included in the terms of the settlement, the phone manufacturer will be subject to independent security assessments every other year for the next 20 years. HTC is additionally required to start a program that will address security risks during the hardware development process.
HTC said in a statement that it has addressed several of the security flaws noted by the FTC in its complaint and is working on fixes for those that remain unaddressed.
"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data," said HTC spokesperson Sally Julien in a statement about the settlement. "Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the US released after December 2010. We're working to rollout the remaining software updates now and recommend customers download them once available."
The FTC's decision can be interpreted as a signal to other phone manufacturers that the commission expects them to pay careful attention to consumer security and patch flaws as close to immediately upon their discovery as possible.
SEE ALSO: FTC Says You Should Be Able to Block Smartphone Tracking
Several issues were at the heart of the FTC's complaint against HTC: Permission re-delegation, the use of unsecured manufacturer-provided application markets and vulnerabilities in communication mechanisms used by HTC phones.
Permission re-delegation occurs when a user grants one application access to certain information, then another application uses that first application's approval to access data without the user's direct consent. The FTC found that HTC failed to address this problem in custom-built preinstalled applications on several devices, giving third-party apps the ability to record audio, access geolocation data and send text messages without users' permission.
The FTC also found that HTC included on its devices a pre-installed custom app store that allowed users to download apps outside of the Android Market/Google Play ecosystem. The custom HTC app, however, "failed to include appropriate permission check code to protect this pre-installed application from exploitation," per the FTC. Thus, third-party apps downloaded via HTC's custom app could sneak other software onto users' phones unbeknownst to the user.
Two "insecure communications mechanisms," as the FTC calls them, are also involved with the settlement: HTC Loggers and Carrier IQ.
HTC Loggers, discovered by researchers in October of 2011, was a security flaw that allowed third-party app developers to intercept users' sensitive data transmissions, including text messages, financial account passwords or geolocation data, from users' phones without their knowledge or consent. HTC quickly admitted the flaw and got to work on a fix.
Carrier IQ, meanwhile, was software embedded on some HTC phones at the behest of wireless providers, who used it to monitor potential problems on their networks. However, researchers discovered in December of 2011 that data picked up by Carrier IQ could be intercepted by third-party apps and that vulnerabilities in Carrier IQ could be manipulated to cause a phone to send text messages without users' permission. Several unofficial solutions for blocking or removing it from customers' phones were discovered soon after Carrier IQ came to light.
No comments:
Post a Comment