What's the big deal? HTC America recently settled a complaint filed against them by the Federal Trade Commission. The terms of the settlement force HTC to develop patches to fix numerous software vulnerabilities in its mobile products, including Android, Windows Mobile, and Windows Phone products.
Blah blah blah, yawn. Right? WRONG!
What makes this case interesting to software developers in the mobile and not-mobile (stationary?) worlds is the litany of issues claimed by the FTC. Among other things, FTC claims that HTC:
- "engaged in a number of practices that, taken
together, failed to employ reasonable and appropriate security in the design and
customization of the software on its mobile devices";
- "failed to implement an adequate program to assess the security of products it shipped
- "failed to implement adequate privacy and security guidance or training
for its engineering staff;"
- "failed to conduct assessments, audits, reviews, or tests to
identify potential security vulnerabilities in its mobile devices;"
- "failed to follow well-known and commonly-accepted secure programming practices, including secure practices
that were expressly described in the operating system’s guides for manufacturers and
developers, which would have ensured that applications only had access to users’
information with their consent;"
- "failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics or other members of the public, thereby delaying its opportunity to correct discovered vulnerabilities or respond to reported incidents."