In its first action against a mobile device manufacturer, the Federal Trade Commission issued a proposed consent order with HTC America, Inc. for failing “to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.”
To differentiate its products, HTC develops and manufactures mobile devices and creates customized software for the Android, Windows Mobile, and Windows Phone operating systems. But according to the FTC, the company also created real security hazards for consumers.
Specifically, the agency charged that HTC failed to review or test its software on the mobile devices to detect potential security vulnerabilities, failed to provide its engineering staff with adequate training on security issues, failed to follow well-known and commonly accepted secure coding practices, and failed to formulate a process for handling security problems when the company received reports about vulnerabilities.
In one example, the FTC complaint detailed how HTC modified the Android operating system with “permission re-delegation” vulnerabilities that permitted one application to access sensitive information provided to another application that had not been given the same level of permission by the user.
Millions of devices were vulnerable to malware, malicious applications, and compromised device functionality that could transmit or store sensitive and private information like the content of user text messages or financial account numbers, the FTC alleged. In addition, some of HTC’s user manuals contained deceptive representations, according to the agency’s complaint.
To settle the charges, HTC agreed to a first-of-its-kind remedy: to develop and release software patches to fix the vulnerabilities found in millions of devices. HTC “shall release the applicable security patch(es) either directly to affected covered devices or to the applicable network operator for deployment of the security patch(es) to the affected covered devices,” according to the proposed consent order. HTC must also “provide users of the affected covered devices with clear and prominent notice regarding the availability of the applicable security patch(es) and instructions for installing the applicable security patch(es).”
In addition, the company will develop a comprehensive security program focusing on the elimination of similar security risks during the development phase of HTC products. Finally, HTC is prohibited from making any false or misleading statements about the security and privacy of data on its devices and will be monitored by the FTC for the next 20 years.
The proposed agreement was published in the Federal Register and is open for public comment until March 22.
To read the complaint in In the Matter of HTC America, Inc., click here.
To read the proposed consent order, click here.
Why it matters: “The settlement with HTC America is part of the FTC’s ongoing effort to ensure that companies secure the software and devices that they ship to consumers,” the agency said in a press release about the proposed consent order. The deal also serves as a reminder to businesses about the agency’s recent efforts to regulate privacy and data security in the mobile ecosystem – such as the FTC’s release of a report recommending best practices for app developers and other industry stakeholders and an enforcement action against a mobile app provider that allegedly deceived users by collecting their personal information without notice. Continuing the agency’s focus on mobile security, the FTC has planned a public forum scheduled for June 4 to examine “the security of existing and developing mobile technologies and the roles that various members of the mobile ecosystem can play in protecting consumers.”