The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices, and to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.
Among other things, the Commission's complaint alleged that HTC failed to:
- provide its engineering staff with adequate security training
- review or test the software on its mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties.
Due to these vulnerabilities millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumerís device, all without the userís knowledge or consent.
The FTC alleged that malware placed on consumersí devices without their permission could be used to record and transmit information entered into or stored on the device, including, for example, financial account numbers and related access codes or medical information such as text messages received from healthcare providers and calendar entries concerning doctorís appointments. In addition, malicious applications could exploit the vulnerabilities on HTC devices to gain unauthorized access to a variety of other sensitive information, such as the userís geolocation information and the contents of the userís text messages.
Moreover, the complaint alleged that the user manuals for HTC Android-based devices contained deceptive representations, and that the user interface for the companyís Tell HTC application was also deceptive. In both cases, the security vulnerabilities in HTC Android-based devices undermined consent mechanisms that would have otherwise prevented unauthorized access or transmission of sensitive information.
The settlement not only requires the establishment of a comprehensive security program, but also prohibits HTC America from making any false or misleading statements about the security and privacy of consumersí data on HTC devices. HTC America and its network operator partners are also in the process of deploying the security patches required by the settlement to consumersí devices. Many consumers have already received the required security updates.