Besides “don’t download apps from sketchy sources”, one of the big rules of keeping your Android device safe is “think carefully about approving app requests for system permissions”. That latter one can be tricky to encourage, since it requires the user to do a bit of critical thinking at the time of installation; does that Sudoku-solving app you downloaded really need the ability to send SMS messages? The idea is, though, that if you are smart about granting permissions, you can stop malicious apps from taking advantage of you. Sometimes it’s not that simple, and the request of a seemingly innocuous permission can give an app more access to your phone than you’d like. That’s the case here, with news arriving today of an exploit present on certain HTC devices.
The problem on phones affected by this issue is that apps granted the ACCESS_WIFI_STATE permission can do more than simply check on the status of your WiFi connection; these models return such requests with full WiFi password details. An app with both this and internet permissions could, in theory, go about surreptitiously harvesting your stored WiFi network passwords.
Models reported to be affected include the Desire HD, myTouch 4G, Desire S, Sensation, EVO 3D, Droid Incredible, and the Thunderbolt 4G. The good news is that HTC was made aware of this problem a while back, and has been hard at work preparing updates to correct things. Most of these have already been distributed during previous maintenance releases; for the rest, HTC will have manual updates ready in the next week or so. It hasn’t said just which of those phones have already been patched, so we’ll have to wait until next week to learn who still needs to install the fix.