In updating its Sense UI, HTC has introduced a set of logging tools that could let apps with Internet permission access users' confidential information like e-mail addresses and SMS data, app developers say.
The security vulnerability affects popular HTC Android smartphones including EVO 3D, 4G and Thunderbolt.
According to a report by Android Police, the apps on affected phones that connect to the Web or show ads can access confidential information, such as the list of user accounts, including e-mail addresses and sync status for each. The apps can also get their hands on the last known network, GPS locations and a limited previous history of locations.
In addition, the tools also expose phone numbers from the phone log, SMS data, encoded text and system logs, which include everything that any running app does. In terms of accessing encoded text, it's still unknown whether data can be decoded.
The security hole was discovered by app developers Trevor Eckheart, Artem Russakovskii and Justin Case after the Sense UI update was released by HTC.
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the Internet permission (to submit scores online, for example), you don't expect it to read your phone log or list of e-mails, Russakovskii said.
The only reason the data is leaking left and right is because HTC set their snooping environment up this way, Russakovskii said.
HTC has also included an app called HtcLoggers.apk, which collects all kinds of data and provides it to anyone who asks for it by opening a local port.
Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be damn sure the information they collect is secured, Russakovskii said.
Here are the affected HTC phones - EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G and MyTouch 4G Slide. The list also includes the upcoming Vigor and some Sensations as well, Android Police reported.
The report said that it is not possible to fix the breach until the device is rooted, or there is an update from HTC. If users want to root the device, they are advised to remove Htcloggers.
Meanwhile, HTC said it is investigating the issue and will provide an update if the claim proves accurate.