egzthunder1 · Sep 30, 2011 at 05:00 pm

Remember the CIQ Apps Found In HTC Devices? Well, There Is More And It Isn’t Pretty……..

For the last few weeks, we have been intensely covering security and privacy issues that involve quite a few of the latest HTC devices (Sensation, EVO 3D, etc). It was discovered by XDA Recognized Developer TrevE that there are multiple apps and services that basically collect all sorts of information about our devices, their usage, and everything that is done on them to later on be sent to some Amazon cloud drive. HTC has come back a couple of times with official statements saying that the apps are indeed harmless and that the information collected is to basically help HTC and the carriers to improve their products and services to us. Moreover, they claimed that, at least, the HTC services can be opted out and they would stop collecting said information. Well, TrevE has been doing a lot of research as of lately and further proved that not only can these services not be turned off by regular means, but also has shown, by doing an experiment in a controlled environment, that the apps are inherently dangerous as they can be easily exploited by virtually any app that has android.permission.INTERNET enabled, which a ton of apps in the market currently do.

The kind of information that can be pulled from the device could be enough, potentially, to clone a device completely if the person receiving this knows how to do it. The app seems to allow the dump of virtually all stats and values by the device. Regardless of HTC’s motives to collect this information, the important part about this, and really the core of the issue, is that the information from these apps can be easily intercepted and sent anywhere to anyone. For the skeptics in the room, TrevE has put together a small demo app (proof of concept) that shows what could potentially happen when this is intercepted. He also has put together a Youtube video that shows exactly what is going on. It seems that the only real way to get rid of these services is by rooting the device and manually removing them, but there is no known way to remove them from an unrooted device.

HTC has been notified about the issue approximately 5 days ago and we are still waiting for a response, which they said they are working on. You will have to keep in mind that this is only the first app that TrevE is working on, and if you remember from previous articles, there are 5 of them. Long story short, you can expect one of these articles on XDA at least once a week for the next month or so.

Well, HTC, as you may see it, this is no longer about us wondering why you are getting our information, but it was discovered that whatever you are using to get it is simply not secure. For the sake of your customer’s privacy, we request that you take the proper measures and release any and all necessary patches to fix this for any and all devices being affected. This is about people’s data falling in the wrong hands, so please we ask that you take action on this soon.

HTCLogger allows any app that has access to android.permission.INTERNET on devices such as the evo3d to obtain full access to query sensitive info such as network/appusagestats/meid/esn/phone#/past 10 location broadcasts and last known locations/and more.

http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=player_embedded

You can find the original thread here. Also, you can check if you are vulnerable by using the app found in this thread.

Want something published in the Portal? Contact any News Writer.

Thanks TrevE for the tip!


_________
Want something on the XDA Portal? Send us a tip!
TAGS:

egzthunder1

egzthunder1 is an editor on XDA-Developers, the largest community for Android users. I have been an active member of xda-developers since 2005 and have gone through various roles in my time here. I am Former Portal Administrator, and currently part of the administrator team while maintaining my writer status for the portal. In real life, I am a Chemical Engineer turned Realtor in the Miami area. View egzthunder1's posts and articles here.
Jimmy McGee · May 6, 2015 at 06:00 am · 4 comments

Vinsic 20,000mAh Ultra Slim Power Bank Giveaway

We have covered a lot of Android Accessories here on XDA TV. Mostly because we realize that there are not many phones out there designed specifically with us in mind. So we get powerful phones that don’t have the best speakers or batteries. To resolve this issue we can grab an accessory to fill the gap. In this episode of XDA TV, Producer Jordan reviews the Vinsic 20,000mAh Ultra Slim Power Bank. This device provides a great big helping of...

XDA NEWS
Mathew Brack · May 5, 2015 at 04:02 pm · 3 comments

T-Mobile Steps Up The War Against Verizon

T-Mobile has today launched a new attack on Verizon under the tagline of “Never Settle For Verizon” complete with eight new adverts and risk free trials for their customers. This is in retaliation to the new campaign from Verizon sharing the same name as One Plus's "Never Settle".     Following the latest “Never Settle” advert campaign from Verizon, T-mobile has surprisingly agreed, you shouldn't settle … For Verizon and to reinforce this point they have launched no less than eight...

XDA NEWS
Faiz Malkani · May 5, 2015 at 01:01 pm · 4 comments

Google #StepInsideAdWords Event Livestream

Ahead of the annual I/O conference scheduled to take place later this month, the Google AdWords team is set to unveil a host of new products aimed at better mobile experiences, improved event-tracking, scalability and more. Yesterday, a video highlighting the upcoming features was launched on the AdWords blog, and the event itself is scheduled to take place today at 9:30 AM PST / 12:30 PM EST. You can watch the live stream right here on this page, and while it doesn't require registration....

XDA NEWS
Share This