The Federal Trade Commission (FTC) would like for HTC America to be a bit more careful in making sure the software it develops for smartphones and tablets is secure.
In a settlement announced today, HTC has agreed to do so. Specifically, the company will fix vulnerabilities in millions of HTC devices and will develop a program to avoid such oversights in the future.
HTC develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems. Like all manufacturers, it has customized the software on its devices in order to differentiate itself from competitors and to comply with the requirements of mobile network operators.
And that, says the FTC, is where the problem lies. The commission said HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.
The FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications -- Carrier IQ and HTC Loggers -- as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model.
Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent.
The FTC alleged that malware placed on consumers’ devices without their permission could be used to record and transmit information entered into or stored on the device, including, for example, financial account numbers and related access codes or medical information such as text messages received from healthcare providers and calendar entries concerning doctor’s appointments.
In addition, malicious applications could exploit the vulnerabilities on HTC devices to gain unauthorized access to a variety of other sensitive information, such as the user’s geolocation information and the contents of the user’s text messages.
Moreover, the complaint alleged that the user manuals for HTC Android-based devices contained deceptive representations, and that the user interface for the company’s Tell HTC application was also deceptive. In both cases, the security vulnerabilities in HTC Android-based devices undermined consent mechanisms that would have otherwise prevented unauthorized access or transmission of sensitive information.