By Alexandra Burlacu email: firstname.lastname@example.org | Feb 23, 2013 05:45 PM EST
According to federal officials, more than 18 million HTC smartphones and other mobile devices had security flaws that raised serious privacy concerns.
The Taiwanese company is one of the biggest smartphone sellers in the U.S., but its smartphones reportedly had security flaws that could allow location tracking of users against their will or knowledge, as well as theft of personal information stored on said devices.
The Federal Trade Commission (FTC) charged HTC with customizing the software on its Android- and Windows-based phones inappropriately. That customization allowed third-party apps install software that could steal personal information, sent text messages or even enable the device's microphone to record the user's conversations.
The move marks the FTC's first action to police a mobile device manufacturer. Smartphones and tablets are increasingly more ubiquitous as tools for consumers to shop, bank or chat online, which means that greater protection is necessary to ensure that personal information and privacy are not compromised.
To settle the civil suit with the FTC, Bellevue, Washington-based HTC America agreed to issue software patches that close the security holes and create a security program an independent party will monitor for the next two decades.
"The company didn't design its products with security in mind," Lesley Fair, a senior lawyer in the FTC's Bureau of Consumer Protection, explains in a blog post. "HTC didn't test the software on its mobile devices for potential security vulnerabilities, didn't follow commonly accepted secure coding practices and didn't even respond when warned about the flaws in its devices."
HTC is currently updating its software and distributing it to users of some, but not all, affected devices, a company official said on Friday, Feb. 22.
"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data," HTC spokeswoman Sally Julien said in a statement issued to the media. "Working with our carrier partners, we have addressed the identified security vulnerabilities of the majority of devices in the U.S. released after December 2010. We're working to roll out the remaining software updates now and recommend customers download them at once."
According to the FTC, the security flaws stemmed from HTC's customization of the OS software found on most of the affected handsets. With Google's Android, for instance, the system uses a permission-based security model to protect sensitive information and phone functions.
This means that when users are attempting to install an application that is not a standard part of the operating system, they will receive a notification to agree that the app could gain access to certain information or functions.
HTC, meanwhile, preinstalled certain applications on its phones in a way that not only prevented users from removing them, but also disabled this permission-based model. Without it, newly installed apps had immediate access to personal data, without prompting the user to agree. That security flaw could, for instance, allow the software to secretly record users' phone calls or track their location without their knowledge or permission.
Flaws in the security system could also grant third-party apps access to phone numbers, text messages, browsing history and sensitive information such as credit card numbers and banking transactions. Such flaws also affected HTC phones running Windows-based operating systems.
HTC's customization schemes added many security vulnerabilities to its handsets, but a commission official said it remains unclear how many users faced illegal breaches into their phones and personal information.
The security flaw in HTC phones, however, is nothing new. The problem persists since at least 2011, when the company acknowledged the issues and developed software patches for some of the holes. Meanwhile, according to the commission, HTC's user manuals claim or imply that a user is protected against malware though the permission-based security model.
Over the next 30 days the FTC will collect public comments on the proposed solutions, after which it will decide whether to formally carry out the order. HTC faces penalties of up to $16,000 per violation if it subsequently violates the order's restrictions and requirements.