i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Massive security hole in HTC Android devices

A new piece of software pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private information on the handset.

Trevor Eckhart discovered the the vulnerability and informed HTC about it but after five days without a response he decided to go public with it.

He made demonstration code available for it and a video showing how an application that is supposed to see almost nothing can now see almost everything.

So an application that is supposed to be restricted to accessing the internet – a common ability requested by freebie apps to collect advertisements – can also access the user’s location and details of all their synchronised accounts, not to mention the list of running tasks, the state of Wi-Fi connections, and system logs.

A system package called HtcLoggers.apk is collecting the data this is installed by HTC onto a range of Android handsets for reasons that have not been identified. The logging package accumulates data all the time, but it also has an accessible interface that other applications can use to request specific information – the is even has a “help” command for those who don’t know what it is they want to know.

The type of information collected includes system information as well as the account and location data, which is probably deemed sensitive by most users, and the internet privileges requested also mean the application can send the data off to unknown parties

Eckhart produced a demonstration app, and is asking people with HTC handsets to take a look and help establish how widespread HtcLoggers.apk is.

This appears to be a serious issue, especially given the fact that free apps often ask for internet privileges to collect embedded adverts. Such an app could now harvest data to use in other types of attack.  Also bear in mind that as the code is now publicly available, I imagine someone somewhere is working on this already.

If you have an HTC handset, it may be worthwhile not installing any new free apps until HTC have fixed this issue.

Droidsheep – Android Session Hijacking Application

Following in the footsteps of Firesheep comes Droidsheep, which allows one click session hijacking using your android smartphone or tablet.

Its as simple as starting Droidsheep on your smartphone or tablet and waiting for someone on the same wireless network to connect to one of the supported websites. ¬†From then on it is easy to jump onto his session and ‘become’ that user.

It was apparently designed to show the weaknesses of using non ssl sites, however a tool like this will always be used with other goals in mind.