HTC EVO 4G: Nice Hardware, Horrible Sprint Software

UPDATE: Sprint’s OTA release last night fixes the serious vulnerability we reported to them. Kudos to them for moving so quickly. As an end-user, you’ll have to decide between being more secure with the OTA update or having root access to the device you own for now.

In the comments, Sean Doherty says:

We want to reassure everybody about some questions that have been raised about HTC EVO 4G.

We have a software update being deployed that corrects an issue with some MicroSD cards and also deploys a patch that will fix a potential security vulnerability. Users can install this update by going to Settings > System Updates > HTC Software Update on their EVO and following the instructions as prompted.

Sprint moved swiftly to make sure this was addressed.

Sean Doherty
Sprint Corporate Communications
@srdoherty


As you might know, I’ve been poking around in the guts of the HTC EVO with some other developers during the last few weeks of early EVO ownership looking to get access to root. It turned out to be fairly easy – a few hours into the investigation and we had access to root.

It turns out that this is a really, really bad thing for users. The Sprint customizations of Android are so bad that an Android application could get access to all of your data with very little work. It’s so bad that I would not recommend purchasing the Sprint EVO or Hero.

You are putting your data at risk of theft from not just one vulnerability (the one we’re releasing tomorrow), but a whole suite of vulnerabilities!

The hardest part of this is that we’re now in competition with Sprint trying to keep root access to the phone, so the idea of “responsible disclosure” works against what you’re trying to do. If end-users had full access to the phone, we’d be sending these vulnerabilities straight to Sprint. Since Sprint has decided to take the anti-user approach and lock down the phone, we’re basically holding all of these exploits close to our chest.

It hurts me to say this, but to help users take control of hardware they own, we have to expose them to security holes.

To handset manufacturers and carriers: if you give users to freedom to customize their devices, we’ll work with you directly to make sure those same users aren’t vulnerable out-of-the-box. Be more like Google and less like Apple and you’ll get an army of white-hats working to improve your product.

To end-users: choose phones that don’t make you jump through hoops to take control┬álike the Nexus One. You bought it, it should be yours to hack and customize.

We’ll be releasing the unrevoked exploit tomorrow, but holding the details for a week or so. It’s such a blatant and dangerous hole that we felt that responsible disclosure was our only choice.

For the record, both Google and Sprint have been very proactive in plugging this hole. It would, however, be a lot easier for all parties involved if these devices weren’t locked down and we were all working to improve the user’s experience instead of building better mice and mousetraps.

35 Responses to “HTC EVO 4G: Nice Hardware, Horrible Sprint Software”

  1. Hetal Patel says:

    Please Dont Release that exploits Informations

    We want NexusOne type Unlocked Bootloader but Sprint Verizon and HTC is more like Apple now a days

    @Google Where is your Open Soul?

    • nickchop says:

      They tried to sell something open, but people didn’t want it. It was called the nexus one. they complained that the carriers didn’t want it, and that it wasn’t available in stores and supported. But that’s what the carriers do, and your phone’s soul is the price. It’s the people who didn’t buy a nexus one’s fault.

  2. Matt,
    What you are saying is VERY scary. I am just savvy enough with hacking phones to be able to follow instructions and do the necessary tweaks (like unlocking my HTC Touch Pro2 to run a cooked ROM of Windows Mobile), but that’s about the limit of my understanding of the innards of the device.

    Question for you: will I still have that same vulnerability if/when I root the EVO and install Froyo? Or is this issue strictly related to the current 2.1 build that is on the EVO?

    Nervously awaiting more details…

    Matt

    • I’ve heard (unconfirmed!) that the current Froyo zip for EVO *may* have a suid sh rather than using the superuser application. You’ll have to tweak the image to swap in the safe version of su. At that point, you’ll be *way* more secure than the stock EVO.

      The one-click root we’re releasing will make you somewhat safer (and install a safe version of su).

      • Nicia says:

        Hello,
        I had the one-click root working but then my friend used my phone
        and updated it using HTC update. I tried to use the root again but it fails.
        Is there an update to the one-click root? How can I get root again after the
        HTC update that was done to my phone?
        Please HELP

  3. JJ says:

    Will your one-click root require a wipe/factory reset?

    • Matt says:

      Nope. It (currently) runs once per reboot. No need to wipe.

      • joypunk says:

        So ‘unrevoked’ will root the device but everything (including Sense) stays on the phone?

        This will be my first Android phone. I’m savvy enough to figure things out, but I’m pretty naive at this point. Haven’t had my grubby paws on a device to learn with yet.

        • Matt Mastracci says:

          Correct. You get su, that’s all for now. You can use that su to tweak other things like hiding sprint apps/etc.

  4. Mike says:

    Will unrevoked have the problems that other exploits have? I mean, will it disable 4G or not allow the use of protected apps?

    • Matt Mastracci says:

      The root changes as little as possible. I didn’t run into any problems with any of the installed software.

  5. TB says:

    i noticed that you didnt say anything about the samsung moment when you recommended not buying the evo or the hero. does that mean it could be an htc/sense issue? i ask because i have an htc incredible with verizon and this has me very weary. thank you for your time and effort!

  6. jonathan says:

    Will your exploit allow to write to system from Android?

    • Matt Mastracci says:

      Not yet. You can bind mount parts of system to change them, however, but it won’t stick between reboots.

  7. Adam says:

    Matt, really glad you guys are pointing out the security flaws to sprint/google. Even more glad you are helping us root ;) Can’t wait -keep hitting ‘refresh’ ‘refresh’ on the teaser site hoping the details pop up. Will you have any kind of mailing list to update your fans, err, evo users on the progress of writing to the system as well as other improvements, etc.? Thanks for everything!!!

  8. Bulls729 says:

    The current “evorecovery” found at XDA will be compatible with this one step root correct?

  9. Sam_A says:

    What’s up with the tweets from the iPhone? I thought you guys were for open platforms? When’s the iPhone hack coming?

    • Tweetie for Mac shows up as Twitter for iPhone on Twitter now. Weird. I was wondering why everyone was telling me that (since I use Echofon on my iPhone).

  10. Faker says:

    So looks like they already patched your “exploit”. Seems to me like sprint was AHEAD of the game. They have it patched before the phone was released to the public, that’s all that matters.

    • This exploit has been in the wild on the HTC Hero for a while now. They pushed the same OTA to Hero last night to fix it. All of this happened after we reported it.

  11. Sean Doherty says:

    We want to reassure everybody about some questions that have been raised about HTC EVO 4G.

    We have a software update being deployed that corrects an issue with some MicroSD cards and also deploys a patch that will fix a potential security vulnerability. Users can install this update by going to Settings > System Updates > HTC Software Update on their EVO and following the instructions as prompted.

    Sprint moved swiftly to make sure this was addressed.

    Sean Doherty
    Sprint Corporate Communications
    @srdoherty

  12. ken says:

    Can someone tell me if data can be recovered from a i-phone sim card? pics, texts ect

  13. IPvFletch says:

    What build # is the original (rootable) build and what build # is the OTA update? Thanks!

  14. KIRk Out!! says:

    will this work to partition the SD card so that I may install more apps directly to the SD card?

  15. eddiecee says:

    So, just bought my EVO. Anybody out there who has install the root having ANY problems at all? What is the whole “goldcard” business about? Should I make a “goldcard” first as suggested by a website? Can i just do the “unrevoked” download without doing anything else? Why are there sooooo many sites out there giving instructions on who to do this? Which is the MOST reliable and easy to follow link?

    This is my first droid. When Froyo comes out as a release to the public (without all this hacking) would it be exactly the same as what “unrevoked” is trying to accomplish? Would I be able to install the published Froyo on my phone even with this current hack?

    • your momma says:

      Eat my nuts!! no dont do that, i think you”ll need some crackers first preferably ritz bam!!!! no need for easy cheese anymore. luv ya all bitches!!!!!!!!!!!!!!!!!!!!!!!! and by the way the evo htc is a piece of shit!!!!!!!!!!!!!!!!(no crackers required) sucka ass bitches niger rap fools!

  16. Angel says:

    ok I bought the HTC EVO today. so what is my next step.

    1. is there a 2.2 system update?
    2. how do I secure my phone?

  17. browse says:

    They’ve published the method that powered the original unrevoked: A trojan horse shipped in the Sprint software that allowed full root-level control of the phone.

    http://www.unrevoked.com/rootwiki/doku.php/android_security

  18. Hey! archos tablet is simply wonderfull!! i purchased one a couple of days ago and luv every moment..

  19. Hey! this new HTC 4G looks nice!!! i’m really wanting to get this mobile, i think Android is much better than the iOS IMO so i think thats the telly for moi :)

  20. Only things of issue are 1.) alarm clock got no pop up to dismiss or snooze the first time I used it. It’s been great since then but wow- that was interesting. Had to turn it off to stop the song! 2.) One day, all my imported (at Sprint store) contacts disappeared. Only the ones I had hand loaded directly remained. I lost ~ 113 names, numbers that I have no plan how to get back. They are not in my gmail or anything..

  21. jamaica 127 says:

    Hi Guys>> jus wanna know can u root an evo 4g with a firmwire of 1.1473 etc… and if so,with what? trying 2 get all apps if poss..