Security on the flubbed HTC EVO 4G LTE 4.3 update
If you upgraded to the Android 4.3 update in February that HTC waved in the HTC EVO 4G LTE community’s face, you’re not secure. You haven’t been receiving carrier mandated updates to the operating system and you’ve got a device that’s like an open sore for vulnerabilities.
I didn’t worry about flashing the 4.3 update because I’m S-OFF and can flash whatever I want, or flash back, however people in the non-root/s-off world who jumped through the hoops to get the update are finding that they’re not seeing any updates.
You may have heard of something called Heartbleed – this came out in the news in April of 2014, was patched by the carriers on most of their devices shortly thereafter, and POODLE attacks were shown to the world a week or two ago.
Along the way there have been thousands of bug fixes and patches to security exploits, and people who bought into HTC Android 4.3 upgrade are not seeing them except in applications that handle security themselves. The people who remained on the last Sprint release are getting upgrades however, even to this day.
There are some things you can do to remain a little more secure – first off use a browser that does its own SSL and doesn’t rely on the system provided api. Don’t connect to strange WiFis as your connection can very easily be tampered with. Drop HTC a line asking why they released a product that not only have they not supported but that not even the carrier can support because HTC locked it down and prevented you from changing it back.
Or if you’ve gotten an update, drop us a line. I haven’t seen one, and the HTC reps I’ve been talking with have stated that I should have known installing “test software” that I might not be able to receive any future updates. Then again, the assumption was when I installed it that I would be receiving what it was a test for at some point in the near future.
If you’re S-OFF or rooted, grab a custom ROM that’s been recently updated to patch some of the vulnerabilities.
This may be the only time it’s demonstrably safer to run hacked root software by some developer last week than the software the manufacturer provided.
