The smartphone security debate just got a bit more tense. NewsFactor, among other sites, this week reported on a particularly insidious-sounding vulnerability found in HTC Android phones.
Researchers looking at a variety of HTC phones, including the EVO 3D, EVO 4G and Thunderbolt, found the vendor had installed logging tools in recent updates. The story says that the information that is being harvested is valuable and the reasons unclear:
The loggers collected a large amount of data about user activity, presumably to monitor performance, provide for remote analysis, or other reasons, although the exact reason for the data collection is unknown.
That's not all. Here is a somewhat more specific paragraph from near the end of the story:
Other information that may be exposed includes notifications, IP addresses, system data and logs, information on installed apps, content providers, battery status and other data.
It is, in a word, creepy. It is made worse - much worse - by the fact that any app requesting access to the Web can use this information. Artem Russakovskii was one of the researchers. He posted a full description - with a tremendous amount of technical data that most of us will not understand - at Android Police. He is particularly upset that the information is not being secured:
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
This is the type of post that writes itself, as they say in old movies. The idea that vendors and developers are including this type of access deep in the bowels of the applications they write is unconscionable. This is particularly true in an era in which smartphones are increasingly used for valuable applications - including as replacements for wallets.
The conclusions write themselves as well. If HTC is doing this on purpose, it has to stop. If this was some sort of accident, it has to put safeguards in place to protect user data. In the bigger picture, the increasing value of what people do with their mobile devices means that it is absolutely necessary for a code of conduct to be created. This must be followed by a set of laws exerting tight control over how this data is collected, stored and used.