HTC settles FTC charges over device security

HTC settles FTC charges over device security

Summary: HTC America has agreed to send out a fix for potential security vulnerabilities in its handsets as part of an agreement with the FTC.


HTC America has agreed to settle Federal Trade Commission (FTC) charges that the company failed to take "reasonable steps" to secure software it developed for its smartphones and tablets, introducing security flaws that placed sensitive information about millions of consumers at risk.

HTC America has promised to patch handsets that were left vulnerable to security risks as part of its settlement (PDF) with the FTC.

It also agreed to develop an ongoing security program designed to address security risks during the development of its handsets, and to undergo independent security assesments every two years for the next two decades.

"The Commission charged that HTC America failed to employ reasonable and appropriate security practices in the design and customisation of the software on its mobile devices," the FTC said in a statement.

The FTC said the patches are already being rollout by HTC and operators in the US.

The FTC complaint alleged that HTC America had "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties."

The FTC also detailed specific handset issues including "the insecure implementation of two logging applications - Carrier IQ and HTC Loggers - as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model," the watchdog added.

In reaching the settlement, HTC America neither confirmed nor denied any of the allegations put forward by the FTC.

"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the US released after December 2010. We're working to rollout the remaining software updates now and recommend customers download them once available," HTC said in a statement.

HTC devices that shipped running Android 4.0/Sense 4 software (or later) already include the security fix.

Topics: Smartphones, Security

Ben Woods

About Ben Woods

With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a smartphone, tablet, laptop, or any other piece of tech small enough to carry around with you.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It is reassuring to see that at least some steps are being taken

    To protect users. "Reasonable precautions" is always subjective, but it is good to see that tech companies shipping products in America are required to take basic steps to protect their users from serious security flaws

    ... Soo, Anyone know if oracle deploy Java in the states?? ;)
  • 18 Millions HTC devices at Risk NOW!
    Neel Gupta