HTC will have to set up a comprehensive security program to address the many security flaws in their mobile devices, according to the terms of their settlement with the Federal Trade Commission on Friday. HTC’s customizations on the software of its smartphones allowed unauthorized applications to access the personal information and location of the users without their permission.
The Federal Trade Commission, in its first attempt to police a mobile manufacturer, had charged HTC with customizing the software on its Android and Windows Phone based smartphones which allowed unauthorized third-parties to install software that could potentially steal personal information, gather location data, record phone calls or send text messages without explicit permission from the user. The commission alleged that HTC did not follow accepted secure coding practices and did not even respond when warned about the security flaws in its devices and went on to say that the company didn’t design its products with security in mind. The commission also said that the user manuals by HTC said or implied that the user was protected against such malware.
Google’s Android operating system employs a permission-based security model which requires the user to agree that an application be allowed to access certain personal information or control phone functions. However, HT pre-installed certain applications which disabled this permission-based model, allowing newly installed apps access to restricted data and functions. In addition, users were prevented from uninstalling or removing these pre-installed apps.
This left users vulnerable to several forms of fraud and malware, including the common text-message toll fraud, in which unauthorized text messages are sent from the user’s phone by a hacker to a number that charges for the delivery of the message. Flaws in the system could give third-party apps access to call logs, text messages, browsing history, and even banking transactions, though it is not clear how many users were affected by these security vulnerabilities. Though the issues were known since 2011, HTC had developed software patches for only some of the deficiencies.
As part of the settlement with the FTC, the company will have to develop a fix to the vulnerable software and will undergo security audits every other year for the next 20 years by an independent party. HTC was also prohibited from making false or misleading statements regarding security measures on its devices. The settlement may be a strong blow for HTC in its attempts to regain its lost market share, but as mobile devices have become a common means of transaction and communication, personal information and privacy will need to be safeguarded.
