Since Wi-Fi permissions are almost always related to Internet access permissions, a malicious application could easily obtain usernames, passwords and SSID data and send them to a remote server.
Among the affected devices, the experts name Desire HD, EVO 3D, EVO 4G, Sensation 4G, Droid Incredible, Glacier, and Thunderbolt 4G. Nexus One and myTouch3G are not affected.
The issue is represented by the fact that while viewing the settings with the .toString() member of the WifiConfiguration class, the resulting output doesn’t leave the passwords field blank, nor does it replace the password with “*” signs to show it is present.
Instead it displays the actual passwords in clear text, making it available for every application that knows where to look for it.
The vulnerability, catalogued as critical, was disclosed via email and telephone to HTC Global and Google on September 7, 2011. The same day other key government agencies and CERT were notified.
During the same month Google and HTC verified the exploit and maintained contact with the researchers and a few days ago HTC publicly disclosed the issue.
“Google and HTC have been very responsive and good to work with on this issue. Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phone and side-loads for all non-supported phone,” the researchers write.
Google also scanned the Android Market for applications that may exploit the vulnerability and found none.
HTC reports that the fix was automatically received through regular updates and upgrades by most phones, but some users need to deploy the update manually. The company advises users to check back on the website in the course of next week for further details.