The Federal Trade Commission recently announced that it had settled with cell phone maker HTC America over charges that the manufacturer did not adequately secure the software in its smartphones and tablets, placing millions of consumers at risk. As a result of the decision, HTC will be required to issue patches and adhere to stricter security controls during future coding. The settlement marks the first time the FTC has intervened over an issue with software security.
Assessing the vulnerabilities
The FTC charged that HTC America did not use "reasonable and appropriate security practices" in the design and coding process of its mobile device software. Specific complaints included failures to train engineering staff on security concerns, to implement testing or source code analysis for security vulnerabilities, to follow established secure coding procedures detailed in the relevant operating system guides and to establish a process for receiving and addressing vulnerability reports from third-party researchers.
Due to the lack of these measures, the manufacturers' devices, which run the Windows and Android operating systems, were exposed to a number of vulnerabilities. These included insecure implementations of two logging applications, Carrier IQ and HTC Loggers, as well as flaws that would allow third-party applications to circumvent standard Android security controls.
"Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer's device, all without the user's knowledge or consent," the agency noted in a press release, adding that malware could also be used to transmit sensitive personal information such as geolocation data or financial account numbers.
The FTC also claimed that HTC misrepresented its device security in its user manuals and undermined consent settings that would normally have prevented the transfer of restricted information.
A lasting settlement
The settlement agreed upon requires HTC America to develop and release patches for the existing vulnerabilities. Additionally, the company must create a "comprehensive security program" to strengthen its development process. To ensure this program is adhered to, HTC will be expected to undergo an independent security assessment every other year for the next 20 years. The company is also prohibited from making any false or misleading statements about the security of its devices or the privacy of customer data.
By intervening in this type of software security issue, the FTC has established that it is paying attention to one of the most critical cybersecurity issues at present, FierceCIO editor Caron Carlson wrote. She noted that the FTC has claimed it will continue to pursue initiatives encouraging vendors to secure their products, and she highlighted the fact that other manufacturers are likely making similar errors to those HTC America was charged for.
"What's most vital to me about the HTC America settlement is the requirement to deal with security risks from the outset when designing new devices," Carlson wrote. "This is a sensible and far-sighted requirement. Unfortunately, HTC America is far from alone in its failure to bake security into product development. One can only hope that other vendors will be called to task as well."
Vendors can build more security into the development process by adopting tools such as static analysis software, which offers a relatively low cost way to catch errors before they are released. The FTC suggested that HTC could have prevented the vulnerabilities with a few simple permission checks at the end of its coding process, protecting millions of users as a result. By implementing source code analysis tools, manufacturers can avoid a similar regulatory incident and the associated fallout.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.