Between Androids, iPhones and BlackBerrys, the smartphone market has certainly diversified in recent years and HTC, a Taiwanese company, has been one seller leading the pack.
However, HTC was recently drawn into a lawsuit by the Federal Trade Commission (FTC) for security flaws associated with customized software and apps they released for their Windows and Android phones. Unbeknownst to HTC, the method in which the software was customized made it susceptible to security breaches; when installed, third-party applications were able to easily record phone calls, track user location and obtain personal information.
The lawsuit is focused on the severity of the security breaches and the method in which the company is seeking to improve the privacy of its customers. Most people check their emails and bank accounts, and store sensitive information on their phones; therefore, the security of these mobile devices is essential.
The HTC software and apps bypassed an important security feature of the Android operating system, the permission-based model. This model notifies the user that the installing application will have access to certain information stored on the device. The user can then decide whether access to this potentially private or sensitive information justifies the purpose of the app.
The software modifications conducted by HTC circumvented the permission-based model by pre-installing apps on phones. The pre-installed apps cannot be removed by users and allow future apps to gain access to private data, ranging from text messages to credit card numbers. Similar flaws also exist in HTC Windows phones.
Perhaps the most alarming aspect of the suit is that the company was first informed of the security problems in 2011 and developed patches for only some of the breaches that same year.
“Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010. We're working to rollout the remaining software updates now and recommend customers download them once available,” HTC stated in a press release.
Following the FTC’s charges against the company, HTC has agreed to settle the case by releasing patches that improve protection and by creating a program for security that will be monitored by a third party for 20 years.
Damages from the security breaches have not been pursued since the FTC does not have the power to determine fines in consumer protection cases. The Commission is accepting public views on all proposed solutions for a 30-day period after which it will decide whether to carry out the order. Once an order is issued, any violations by HTC can be penalized by fines up to $16,000.
