The Federal Trade Commission said Friday that it has settled with HTC America on charges that the handset maker did not adequately secure its handsets, leaving sensitive user information stored on smartphones and tablets at risk.
The security flaws, first noted in 2011, allowed apps that connected to the Internet to look into HTC phones’ logs and access data including call history, location data, e-mail addresses and system logs. HTC was also found to be improperly logging information from Carrier IQ, a piece of analytics software that ended up at the center of a controversy over how carriers and manufacturers collect and handle data from their customers’ mobile devices.
HTC has been working with carriers to deploy patches that fix these security holes; many consumers have already received those patches.
The agency charged that HTC America did not adequately test and review software on its mobile devices for these vulnerabilities, leaving its devices open to malicious applications, which in turn could use access to the devices to collect information about everything from a user’s location to e-mails and text messages.
The FTC complaint also alleges that HTC used deceptive practices in obtaining users consent to collect and share data, as the security flaws ”undermined consent mechanisms” in users’ phones.
HTC has agreed to establish a comprehensive security program and is prohibited from making false or misleading statements about its security.
In a statement, the company said that it is working with carrier partners to patch the security holes.
“Privacy and security are important, and we are committed to improving practices that help safeguard our customers’ devices and data,” the company said. “We’re working to rollout the remaining software updates now and recommend customers download them once available.”