Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

HTC America Settles FTC Charges It Failed to Secure Mobile Devices

Posted in Data Security, Federal Trade Commission, Mobile, United States

Mobile device manufacturer HTC America has settled Federal Trade Commission (“FTC”) charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.  The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in the HTC devices.  The settlement also requires the company to establish a comprehensive security program designed to address security risks relating to the development of HTC devices and to undergo an independent security assessment every other year for the next 20 years.

HTC America develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems.  The FTC charged that the company failed to employ reasonable and appropriate security practices in both the design and customization of the software on its mobile devices. Among other things, the complaint alleged that HTC America failed to: provide its engineering staff with adequate security training; review or test the software on its mobile devices for potential security vulnerabilities; follow well-known and commonly accepted secure coding practices; and establish a process for receiving and addressing vulnerability reports from third parties.

Because of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications—Carrier IQ and HTC Loggers—as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model.  Due to these vulnerabilities, the FTC charged that millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device without the user’s knowledge or consent.