Over the weekend, Android Police uncovered a security issue with HTC Android phones running recent versions of its Sense UI, including the Evo 4G, Evo 3D, Thunderbolt, and more. The vulnerability basically breaks down like this: HTC is logging a lot of user data locally on the device so that some of it can be sent to HTC anonymously. You can, of course, opt out of sending this data to HTC, but even then Sense is still logging a lot of data locally without sending it. The data includes the content of your notifications, your phones OS and hardware information, running apps, and a few more pieces of information. Unfortunately, that data is not properly protected on the device, so a malicious third party app could gain access to it.
The good news is that to date there are no known instances of any malicious apps trying to gain access to these logs. That doesn't mean it's not a problem, however, and HTC has acknowledged the issue and is promising over-the-air updates to resolve them:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources
Until HTC releases the patch, regular users should think twice about downloading any apps that may look suspicious -- something you ought to be doing anyway. Power users can take care of that pesky log file right now if they've rooted their phones -- Android Central has details on how to do that. Meanwhile, we'll be watching to see just how quickly HTC and the carriers can get together to release these fairly high-priority OTA security updates.