Smartphone Exposes Passwords

Friday, February 3, 2012 @ 11:02 AM gHale

The way some of HTC’s Android smartphones handle requests for passwords allows applications to obtain the passwords for Wi-Fi networks the phones connect to. That means if that application also has permission to connect to the Internet it could take that information and transfer it to an unknown server.

Researchers discovered that applications with the android.permission.ACCESS_WIFI_STATE permission could obtain the password, user name and other settings by executing the .toString() method of the WiFiConfiguration class. On most Android devices, the .toString() leaves the password field blank or marked with a “*” to show a password is set, but on the affected HTC devices, the password is in clear text.

RELATED STORIES
Android Malware Stays Hidden
Breaking Down a Malware Operation
Malware Shifts from Safe to Malicious
Malware Strains Meld by Accident

With more users in the manufacturing automation industry using Android-based smartphones, it makes sense to keep a sharp eye out for any kind of security issues affecting the device.

Experts found the flaw in September 2011 and researchers have been working with Google and HTC to resolve the issue. Google has changed the Android code to better protect the credentials store and has performed a code scan of applications in the Android Market and found no applications that exploit the vulnerability there, though this may not apply to other sources of Android applications.

HTC released updates for the affected smartphones – Desire HD (Version FRG83D, GRI40), Glacier (FRG83), Droid Incredible (FRF91), Thunderbolt 4G (FRG83D), Sensation Z710e (GRI40), Sensation 4G (GRI40), Desire S (GRI40), EVO 3D (GRI40) and the EVO 4G (GRI40).

HTC said most devices will have already received the fix with over the air updates but some devices will need a manual update and asks users to check the help page for more information in the coming week.



Leave a Reply

You must be logged in to post a comment.