The security defect, which allows any app with permission to view WiFi network data stored on the handset – including passwords – to send this information to a remote server.
Worst case scenario is malicious apps could actually be giving anyone who wants it access to your WiFi network, who could in turn use that to monitor activity and steal your identity.
According to the manufacturer, the handsets that may be affected by this flaw is limited to the Sensation, Desire S, Desire HD, Glacier, DROID Incredible, Thunderbolt and most of the Desire and Evo ranges. HTC assure customers that many of these devices have already been corrected with automatic software updates, but some will need to install a patch directly to fix the issue.
Worryingly, it would seem that HTC have been onto this breach in security since September when researchers first notified them, but have kept it quiet until they and Google had a fix ready to go. Defending this decision, the Taiwanese company has said:
“HTC takes customer data security very seriously. If there is a known breach of sensitive customer data, our priority is customer notification along with corrective actions. It is our policy, and industry standard procedure, to protect customers, which sometimes necessitates not increasing data security risks by disclosing minor breach issues where no malicious applications are detected. In those cases, premature disclosure of vulnerabilities could spur creation of malicious apps to take advantage of any vulnerability before it is fixed.”
So far it seems that it’s only Android models that may be at risk, and Windows 7 handsets are probably not affected.
In a reassuring statement up on their help section, HTC have said:
“HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.”
HTC haven’t yet revealed which handsets will require the manual fix, but any users who are worried they may be at risk should check their model here for updates and instructions when the patch lands over the next few days.