Even more security issues found on HTC EVO 4G
In the wake of the recent Carrier IQ scandal, researchers at North Carolina State University have uncovered a significant amount of vulnerabilities on the HTC EVO 4G that could be used by untrusted applications to send text messages, record phone calls, or even wipe all of the data from the phone without the owner's permission.
The study looked at eight phones total: the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. They used a software tool that they developed to analyze each application that comes pre-loaded on the phone looking for "capability leaks" – basically, system privileges that are left open for other malicious apps to take advantage of without requesting this privilege from the user.
Who was the worst offender of these eight devices? The EVO 4G, with eight total "explicit" capability leaks, which allow malicious applications to exploit services that have been requested by another app without asking for permission.
What's the scariest part? The researchers were only looking at vulnerabilities caused by apps that are already installed. These pre-installed apps often cannot be uninstalled without rooting, and they didn't even attempt to make a similar study of other apps that can be downloaded through the Android Market or Amazon Appstore. However, it should be noted that there are no known cases of these exploits actually affecting end users, but right now the potential is there.
So now, it's time to play the waiting game to see how HTC and Sprint will respond to the latest in what is becoming quite a long line of security SNAFUs.
[Ars Technica]
