HTC is issuing a fix for a critical security flaw in some of its Android phones that can potentially leak the devices' Wi-Fi passwords to malicious apps.
The phone manufacturer said on Tuesday that most of the affected phones "have received this fix already through regular updates and upgrades", although some people will need to manually update their handset. HTC will release a manual download for the fix next week, it said.
Affected devices include versions of the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation, Desire S and EVO handsets, according to Bret Jordan, one of the security researchers who detailed the flaw. The bug was discovered by Jordan's colleague at the Open1X Group, Chris Hessing.
Jordan published the findings on Wednesday, once HTC and Google had had a chance to fix the hole. He and Hessing first contacted the companies about the problem in September last year.
"There is an issue in certain HTC builds of Android that can expose the user's 802.1X Wi-Fi credentials to any program with basic Wi-Fi permissions," Jordan wrote. "When this is paired with the internet access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords, and SSID information) to a remote server."
Jordan also noted that the vulnerability could be used for targeted exploitation of enterprise-privileged credentials, if the SSID is named in a way that identifies the enterprise. However, he indicated the problem was under control.
"Google and HTC have been very responsive and good to work with on this issue," Jordan wrote. "Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phones and side-loads for all non-supported phones."
Google has also, according to Jordan, code-scanned every app in the Android Market, and has concluded that none were exploiting the vulnerability.
Most HTC phones also had another critical vulnerability that was fixed in October last year. In that security scare, logging tools in HTC's Sense interface were exposing the data they were collecting, including phone-call and SMS records.