The vulnerabilities placed sensitive information about millions of consumers at risk and potentially permitted malicious applications to send text messages, record audio and install additional malware without a user’s knowledge or consent.
FTC identify many vulnerabilities including, insecure implementation of two logging applications i.e Carrier IQ and HTC Loggers. The agency also found programming flaws that let third-party apps bypass Android’s permission-based security model.
Flaws in the security system could also give third-party apps access to phone numbers, contents of text messages, browsing history and information like credit card numbers and banking transactions.
The Federal Trade Commission said HTC agreed to develop and release software patches to fix vulnerabilities found in millions of HTC devices.
“The company didn’t design its products with security in mind,” Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer Protection, wrote in a blog post.
“HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices and didn’t even respond when warned about the flaws in its devices.”
It also said the settlement also requires HTC America to set up a comprehensive security program when it is developing its devices, in order to avoid security risks.