HTC settles FTC charges over device security

HTC America has agreed to send out a fix for potential security vulnerabilities in its handsets as part of an agreement with the FTC.

HTC America has agreed to settle Federal Trade Commission (FTC) charges that the company failed to take "reasonable steps" to secure software it developed for its smartphones and tablets, introducing security flaws that placed sensitive information about millions of consumers at risk.

HTC America has promised to patch handsets that were left vulnerable to security risks as part of its settlement (PDF) with the FTC.

It also agreed to develop an ongoing security program designed to address security risks during the development of its handsets, and to undergo independent security assesments every two years for the next two decades.

"The Commission charged that HTC America failed to employ reasonable and appropriate security practices in the design and customisation of the software on its mobile devices," the FTC said in a statement.

The FTC said the patches are already being rollout by HTC and operators in the US.

The FTC complaint alleged that HTC America had "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties."

The FTC also detailed specific handset issues including "the insecure implementation of two logging applications - Carrier IQ and HTC Loggers - as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model," the watchdog added.

In reaching the settlement, HTC America neither confirmed nor denied any of the allegations put forward by the FTC.

"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the US released after December 2010. We're working to rollout the remaining software updates now and recommend customers download them once available," HTC said in a statement.

HTC devices that shipped running Android 4.0/Sense 4 software (or later) already include the security fix.