Poor old HTC, once the darling of the Android set, they just can’t seem to put a foot right these days. Lackluster phones which resolutely stuck to it’s Sense version of Android when even Samsung, the acknowledged masters of stupid ugly bloatware where slimming down and even an attempt to corner the non-existent Windows Phone market left it in deep financial do-do. Their shares have dropped by 60% so far this year and this leaves the companies market capital at lower than it’s actual cash reserves, meaning the phones, factories, offices and brand equity is worth nothing.
Well, much as I hate to kick a guy when he’s down, there’s more bad news. Four researchers for FireEye presented a paper called “Fingerprints On Mobile Devices: Abusing and Leaking” at the Recent Blackhat security conference in Las Vegas that revealed that the HTC ONE Max stored data from it’s fingerprint sensor as a simple bitmap file in an unsecured folder. Yes, you read that right, while the image is slightly obscured by being in a non-standard format it was simple to rearrange it into a clear image of your fingerprint.
This means that given about 30 seconds with your phone I could nab the file, email it to a third party and get a copy made that would give me access to everything you thought was secure. And that’s just me, not a hacker, not a software exploit writer, just a dumb fool who knows how to use a file manager on Android.
It’s not clear if the release of Android 5.2 which has native support for fingerprint readers will close all the vulnerabilities this report warns of, but you’ve got to hope that nobody at Google is stupid enough to store secure data in this way. As for HTC, you have to wonder if they will even recover their preeminent position in the Android world if they keep making facepalm inducing errors like this.
Oh, and if you have the HTC ONE Max, you’ll probably want to put some extra security on it.