HTC breach a reminder on mobile security

HTC's rapid acknowledgment of confessed "serious" security exploit, discovered and published this week by security researchers, may ultimately help deflect criticisms

It's hardly the kind of thing any company wants attached to its name, but HTC's rapid acknowledgment of confessed "serious" security exploit, discovered and published this week by security researchers, may ultimately help deflect criticisms and will, regardless, serve as a valuable reminder to CSOs that mobile devices represent a new and still-evolving security threat within the enterprise.

That's the consensus after the bug was published by researchers Trevor Eckhart, Justin Case and Artem Russakovskii, who contacted HTC with news of the vulnerability they had discovered and waited five days without a response before pantsing the company in front of the security and mobile worlds.

The resulting admission involved the kind of PR contrition that no company wants to have to face, but the fast-growing Taiwanese mobile maker has subsequently rushed to patch its Sense user interface to prevent exploitation of the bug, which allows malicious apps to obtain information including user details, calling history, SMS logs, and more.

HTC Australia declined to speak about the bug, offering only its standard statement that

"in our ongoing investigation into this claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application….potentially acting in violation of civil and criminal laws….As always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."

The fact that the bug was exposed before HTC had time to fix it left some security commentators incensed and more than a little concerned, but CSOs may find temporary consolation in the relatively low penetration of Android handsets in Australian businesses.

While IDC Australia's latest Mobile Device Tracker research suggested Android phones were our second most-popular smartphones with 30 percent market share behind the nearly 40% market share of Apple's iPhone, surveys  indicate that the iPhone has a much larger presence within businesses.

recent survey by Intermedia, whose ActiveSync  hosted mail service supports a range of devices, suggested the iPhone accounted for 61% of smartphones in businesses and Android, just 17% (for the record, Apple's iPad outranked Android-based competitors by 99.8% to 0.1%. These figures aren't likely to be helped by the ongoing discovery of vulnerabilities in Android smartphones, which have suffered a flood of security breaches as a 400% year-on-year surge in the volume of Android malware keeps Google – and businesses in the field – on their toes.

Could the ongoing spate of vulnerabilities damage Android's credibility with enterprise security executives? Yee-Kuan Lau, market analyst with IDC Australia, isn't entirely convinced.

"It would be too precipitous to say Android-based smartphones are not appropriate for business usage as a result of this one incident," she explains.

"Every platform has inherent security risks and this will be no different for Android as for other mobile OSes. Organisations should be utilising a range of security solutions to ensure secure access to apps and data regardless of the kind of device that is chosen. The question of appropriateness for business comes down to the organisations' goals and ICT imperatives."

It could take a while for the industry to catch up, however. Although new solutions such as Symantec's Data Loss Prevention for Tablet are designed to let security staff restrict the flow of information from iPads, which have emerged as another of the significant mobile data holes, like USB memory sticks.

Symantec debuted its iPad version of the software this week, but it will be next year before an Android equivalent debuts; in the meantime, CSOs contemplating management of Android will have to rely on more conventional techniques such as careful patching, user education – and, of course, the regular crossing of fingers.

Join the CSO newsletter!

Error: Please check your email address.

Tags Intermediaandroid malwaresecurity threatsecurity breachesAndroidsecurity exploitsActveSyncmobile deviceswirless and mobile securityIDC Australia's Mobile Device Tracker researchHTC softwareGooglehtcsmartphonesvulnerability

More about AppleGoogleHTCIDC AustraliaIntermediamobilesSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts