HTC has agreed to a settlement with the Federal Trade Commission over security problems that left its phones open to hijacking or stolen personal data. Like many other devices, HTC phones and tablets come with software that tracks device logs or user location — in its case, both an Android tool called HTC Logger and the controversial Carrier IQ. But the FTC says that the company failed to implement strong security. "Because HTC used an insecure communications mechanism, any third-party application on the user’s device that could connect to the internet could exploit this vulnerability" to take device logs from either HTC Logger or a custom overlay for Carrier IQ.
On Android, the FTC says hackers could both find personal information about the user's phone and perform actions like sending text messages. A similar problem with custom app installation software meant it was possible to "command this pre-installed application to download and install any additional applications from any server onto the device without the user’s knowledge or consent." Major HTC Logger security issues were uncovered in late 2011 by Android Police, which found that apps could surreptitiously request everything from email addresses to GPS location with simple commands. This settlement addresses many of these claims, as well as similar issues with Carrier IQ.
"Any third-party application that could connect to the internet could exploit this vulnerability."
HTC previously said that no customers had been affected by the logging problem, and it promised (and issued) a 2011 patch that would fix the issue. Now, the FTC is requiring the company to patch any remaining vulnerabilities and to develop a security program that will prevent future ones, as well as undergo assessments every other year for the next 20 years and refrain from publishing any misleading information about its security. HTC won't pay fines or see other major punitive measures, but the settlement gives the FTC harsher enforcement options if future breaches occur.