Your trusty HTC phone may be giving all your internet-connected apps access to your private data, including text messages, location information, system logs and address book details, according to researchers.
Artem Russakovskii, Justin Case and Trevor Eckhart claim to have found the serious hole present on the HTC Evo 3D and HTC Thunderbolt, among other HTC handsets.
Update: HTC has sent TechRadar the following statement on the matter, promising to look into it post haste:
"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."
It seems that on these handsets, any web-connected app can currently make a single android.permission.INTERNET request and gain access to a wealth of user information.
The 3.5MB log file exposes details like CPU info, file system logs, a list of installed apps and permissions, battery info and status as well as the location data, address book access and text message details.
It's all down to a logging script which HTC introduced in recent software updates; because we like HTC, we're inclined to say that the script was originally intended to collect data in order to make handset trouble-shooting easier rather than an intention to spy on its users or sell this data on.
But the sheer amount of personal data that's there for the taking by any old app developer adds up to pretty scary stuff – the ball's in HTC's court now, we look forward to seeing what action the company takes.
From Android Police
Article continues below