WASHINGTON Feb 22 HTC America, which makes
smartphones and tablets that use Android and Windows software,
will settle a U.S. regulator's charges it failed to take
adequate steps to eliminate security flaws that put millions of
users' data at risk.
The Federal Trade Commission said on Friday that HTC
America, a subsidiary of HTC Corp in Taiwan, made millions of
phones with programming flaws that allowed third-party
applications to evade Android's permission-based security model.
This means that the Android operating system, which normally
requires users be provided notice if sensitive data is given to
third parties like data brokers, was prevented from giving
notice to users, according to the FTC.
Sensitive data includes location or the contents of text
messages. The settlement requires the company to establish a
comprehensive security program and patch the software holes.
HTC spokeswoman Sally Julien said the company, working with
carrier partners, has addressed the identified security issues
on majority of devices released in the United States after
"We're working to roll out the remaining software updates
now and recommend customers download them once available,"
The regulator said in a statement that HTC America "failed
to provide its engineering staff with adequate security
training, failed to review or test the software on its mobile
devices for potential security vulnerabilities (and) failed to
follow well-known and commonly accepted secure coding
It said millions of HTC devices were compromised,
"potentially permitting malicious applications to send text
messages, record audio, and even install additional malware"
without the knowledge or consent of the user.
In a Twitter question-and-answer session, the FTC said that
while the HTC America case was not the first on data security
unfairness, it was the first that dealt with software security.