The Federal Trade Commission has won a settlement against HTC America after filing a complaint that the company failed "to take reasonable steps to secure software" in its Android, Windows Mobile and Windows Phone smartphones and tablets.
As part of the settlement, HTC America, whose parent company is based in Taiwan, is required to create and push out software patches to its millions of devices, and is subject to independent security assessments for the next 20 years.
"The company didn't design its products with security in mind," the official FTC blog stated.
The FTC complaint alleged that HTC's products simply were not designed to be secure, and that the company ignored standard industry practices and failed to fix security weaknesses even after being made aware of them.
It accused the company of unfair security practices and deceiving customers.
"HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure-coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties," the FTC said in a statement.
"HTC introduced numerous security vulnerabilities that malicious apps could exploit to gain access to sensitive data and compromise how the device worked," said the FTC blog posting.
Not only were HTC's products insecure in and of themselves, the FTC alleged, but HTC also let third-party apps circumvent some of the security protections built into the Android mobile platform.
Through a process known as "permission deregulation," HTC allowed pre-installed apps to access certain device functions without first asking for the user's permission.
Those device functions included the microphone and camera. It's easy to understand why secretly giving third-party apps those permissions could be problematic.
"HTC Android-based devices undermined consent mechanisms that would have otherwise prevented unauthorized access or transmission of sensitive information," the FTC's statement said.
Even worse, the FTC blog stated, "HTC pre-installed a custom app that could download and install apps outside of the normal Android permission process."
This case represents the first time the FTC has ordered a company to create and push out software fixes as part of a settlement and is the first time the consumer-protection agency has gone after a mobile device company over security concerns.
The order, issued Feb. 22, is on hold for 30 days pending a mandatory period to allow for public comment.