HTC admits its proprietary “Sense” Android software has a glaring security hole and said it is working to patch it up before any malicious app makers try to exploit it.
The blog Android Police exposed the problem earlier this week. It found that the HTC Sense software makes it possible for a developer to create an app that says the only phone data it accesses is the ability to connect to the Internet, when in fact it could be grabbing sensitive user information like e-mail addresses, text messages, contact and calling history, and more.
The issue affects the company’s most popular phones including Spint’s Evo line, Verizon’s 4G Thunderbolt, and several others. It is a glitch specific to HTC’s special altered version of Android, meaning HTC caused the security hole, not Google.
Android Police reportedly contacted HTC about the problem last month but when the company shrugged off its complaints it decided to post the story.
And surprise, surprise, after it got picked up by all the major online publications, HTC suddenly decided to pay attention.
In a statement, the company wrote, “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application… A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”
HTC did not say when it expects the patch to be available.