HTC America Drops Ball on Mobile Security
Manufacturer HTC America affirmatively acknowledged Federal Trade Commission (FTC) charges that millions of its customers’ Android based mobile devices were using software with potentially serious security vulnerabilities. The leading mobile device making company was ordered to make a patch available before the end of March 2013 to all concerned parties.
The FTC recommends that consumers with HTC smart phones and tablets verify that their device has the correct software security patch update installed ASAP. HTC America customers without the security patch update should contact HTC or their mobile service provider to see if there is one available for their model number yet.
HTC’s web site had this to say about security:
We believe that…setting reasonable disclosure deadlines in accordance with the severity of the bugs, is good for the overall security of our end-consumers.
...investigating, correcting, certifying and initiating deployment of a mobile device based correction takes time. The length of time can vary greatly depending on the complexity of the vulnerability.
The community over at the arstechnica site certainly has strong opinions on the matter, SinclairZX81:
It's going to be VERY interesting watching how fast this rolls out (or doesn't). If they can do it in 30 days under court order, including carrier review and approval, then it rather casts some doubt on the whole, "we deploy updates as fast as we can!" excuse(s) we've been hearing for years now.
That's a lot of patches across a lot of devices.’
I don't think Android updates are the issue here. The issue is HTC's crapware apps and Android tweaks that knock down the permission constraints. I suspect that every affected HTC handset will merely receive the same Android OS version they already have, minus the vulnerabilities.
If this wasn't the case, every manufacturer will eventually have to move to the latest and most secure version, v4.2.2. This won't happen. I mean there are too many underpowered devices out there already.
HTC’s report card from the FTC, not impressive:
- Security training for engineering staff- F
- Security reviews for their mobile device software- F
- Following industry standard security coding practices- F
- Processes in place for accepting third party vulnerability reports- F
The FTC will be hosting an upcoming forum on the subject of mobile device security on June 4, 2013. They are seeking participation from potential panelists with expertise in mobile matters that can offer solutions to the thorny issue of protecting mobile users’ privacy and data. Contact them via: email- firstname.lastname@example.org or by phone: Emily Cope Burton at 202-326-2728 or Colleen Robbins at 202-326-8548.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015