The Federal Trade Commission previously accused HTC America, a subsidiary of the major smartphone manufacturer based in Taiwan, of failing to take necessary steps to secure the software and operating systems on its smartphone devices. The FTC reached a settlement with HTC America, according to which the manufacturer will have to create and deploy software patches to millions of its devices that are vulnerable to attacks from malicious programs. Moreover, HTC’s devices and software will have to be subject to an independent security audit for the next 20 years. This security review will take place every alternate year.
The accusations leveled against HTC by the commission included the fact that HTC ignored security practices and standards, and did not bother to respond or fix the flaws even after it was notified about them. HTC was also accused of misleading customers and giving them a false sense of security. The FTC went on to imply that security was never a major design consideration for the smartphone manufacturer. According to a statement from the FTC, the engineers employed by HTC America did not have sufficient training in secure coding techniques, and the company did not have a system in place that checked the software and the operating system for possible vulnerabilities in security. There wasn’t even a means for receiving and acting on reports of possible vulnerabilities from various third party agencies, the FTC said.
Not only were the apps designed by HTC insecure by themselves, some of them also allowed other third party software to bypass the security measures in place in the operating system. Google’s Android operating system, as well as many other operating systems, employs a permission-based system of security, where a user will have to agree to give access to personal information or specific phone functions to third party applications. What HTC did was grant certain pre-installed and non-removable applications access to phone functions and stored personal information without the consent of the user. HTC also had a pre-installed app that had the capability of installing other apps completely bypassing the permission based security features of the OS.
Though it is unclear how many users were affected due to these vulnerabilities, this is the first time that FTC leveled accusations against a manufacturer citing security issues. The orders, issued a couple of weeks ago, are on a mandatory 30 day hold period, which allows for public opinions and comments on the matter.