HTC and other Android phone manufacturers give their customers a difficult choice. As an HTC customer you are forced to choose between privacy and security or you warranty. HTC installs invasive software capable of sending private information to third parties without your knowledge or informed consent. The only way to get rid of these potential threats is to root your device.
A study from North Carolina State University found that the Android permissions model is often not properly enforced, especially by HTC. The result is that stock applications can be attacked to exploit their permissions. The study can be downloaded at www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf.
For my non-techie friends, what the report basically says is that if a game on your Android phone can know where you are by using a GPS, then potentially a completely different program that doesn’t have the ability to use your GPS can use your GPS to track you by using the game to help it. If a pre-installed application can record your voice and send SMS messages, then a malicious application that looks like a harmless game may be able to send expensive SMS messages, or record your phone conversations. The report also found that HTC and Samsung don’t appear to really care at all about the security and privacy of their users.
One of the best ways to improve security and privacy can be to remove applications that you do not use. Software has security flaws and programs that you do not use can still be exploited to allow a criminal to access your data, or determine your location. Knowing your location can lead to physical security problems while accessing your data can lead to identity theft or simply spam that the criminal profits from.
The unfortunate truth is that the only way to remove these security and privacy threats is to root the phone. Again for my non-techie fiends, rooting an Android phone is like having a cardkey to access a building and changing the access permissions so that you can go anywhere in the building at all, even into the security control room!
Here’s the problem with rooting your phone… for HTC, and probably most manufacturers, rooting the phone voids the warranty. As a matter of practice, if you back everything up properly and there is a problem that doesn’t completely cripple the device then you can restore the factory settings and HTC will not know you have done something to void the warranty, but the fact remains that the stance that HTC takes is that if you want to take any reasonable steps to improve privacy and security on your HTC device they will not honor the warranty.
As for why you can’t simply remove pre-installed applications, HTC will blame the carrier, such as T-Mobile and the carrier will blame the manufacturer.
Randy AbramsIndependent Security Analyst