HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. These are the charges that The Federal Trade Commission (FTC) filed against HTC America. On February 22, 2013, HTC America agreed to settle the FTC’s charges.
Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.
To illustrate the consequences of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications: Carrier IQ and HTC Loggers. It also found programming flaws that would allow third-party applications to bypass Android’s permission based security model. The issues that the FTC found would not only allow access to logging data but also the ability to run potentially harmful third-party apps that took control over things like text messaging, recording audio and more without user consent.
There is enough blame to go around. Many carriers including AT&T, Sprint and T-Mobile used the Carrier IQ software to test their network capacities and more. Many manufacturers quickly moved to blame those carriers for the software even being on the devices. You know that with a situation like this there are many factors and many areas where certain things fall through the cracks. However, this is not a problem that can be taken lightly. It is a very serious issue that affects a lot of users.
The settlement requires HTC to develop and release software patches for the vulnerabilities which the FTC says were found in millions of HTC devices. HTC America will also have to set up a security program that is designed to address security risks during the development of new devices. In addition, the company will also have to undergo an independent security assessment every other year for the next 20 years.
In a statement from HTC America, the company said, "Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the US released after December 2010. We're working to roll out the remaining software updates now and recommend customers download them once available.”
HTC America neither confirmed nor denied any of the allegations that the FTC charged them with. The FTC said that patches are already being rolled out by HTC and operators in the U.S. HTC devices that have shipped running the Android 4.0/Sense 4 software, or later already include the security fix.
Edited by Rich Steeves