HTC is working on a patch to address the “massive” security vulnerability identified in its Android smartphones, the company has confirmed, though has denied that the privacy loophole has resulted in any leaked data. “While this HTC software itself does no harm to customers’ data,” the company suggested in a statement given to Engadget, “this is a vulnerability that could potentially be exploited by a malicious third-party application.”
As a result, the company says it is “working very diligently” on a security update that – after a period of “short” carrier testing – will be pushed out as an OTA upgrade to Android device users. No exact timescale has been given, but HTC seems to recognize that time is of the essence if it wants to close the door on this without any users being actually affected.
Found over the weekend, the issue concerns what permissions are allowed in HTC Android devices, and how apps could – without users being aware – have access to GPS data and other content.
Full HTC Statement:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
[via Android Community]