The FTC (Federal Trade Commission) has reported that HTC America has settled with them the issue on failing to secure its mobile devices that have been shipped to consumers. Charges were previously filed against the company for failing to take reasonable steps in securing the software of its mobile devices such as tablets and smartphones which placed sensitive information of individuals at risk.
In the settlement agreement, HTC America will be developing and releasing a software patch to correct the vulnerability of their software. Aside from this the company will have to undergo a comprehensive security program as well as undergo independent security assessments every other year for the next 20 years.
HTC America uses a customized version of Android, Windows Mobile and Windows Phone operating system on their devices. The company’s customization allows it to differentiate itself from its competition however this is also where the problem lies.
The flawed customization practices of the company that seemed to neglect security started the problem. The company failed to follow standard security coding practices and even failed to establish a process for dealing with vulnerability reports from third parties.
The complaint against the company deals with several vulnerabilities most notably the way HTC devices handle the two logging applications Carrier IQ and HTC Logger. The insecure implementation of both apps as well as programming flaws allowed third party applications to bypass the standard Android security system.
Because of this vulnerability millions of HTC devices could easily be infected with malicious apps that could send out text messages, record audio, and even install other malicious apps without the owner even knowing about it. Personal information such as financial records, credit card numbers or calendar appointments could easily be stolen this way.
Also included in the settlement is the prohibition of HTC America to make any false or misleading statements regarding the security of their devices.