The guys from Android Police have found a really bad (at least is seems so) security problem affecting multiple HTC devices running Android.
In summary, the issue allows any app, that has android.permission.INTERNET, which is a pretty common permission (in fact many apps that do not require Internet connection still request this permission just because they run ads), can access pretty sensitive information including:
- location (coarse & fine);
- account information;
- hardware & software information (build number, kernel version etc.)
So far it seems that this is HTC issue and not a problem of Android. Either way, it is pretty bad.
It is true, that permissions are often being accepted by the users without much consideration (yes, dammit, just install this thing already!) and this has been a problem for Android since the beginning (live wallpapers sending private data to servers in China, anyone?).
Still many folks (myself included) are religiously suspicious with the permissions, requested by the apps they allow on their devices. So frivolously exposing information normally guarded by a dozen of other permissions is a pretty bad blow for HTC. They need to fix that as soon as possible. And carriers (where involved) must push the update trough the second it gets available.
The whole story & lots of technical details here:
http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/
