The US Federal Trade Commission (FTC) approved a settlement following charges that HTC’s US arm had “failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers”, which put sensitive information from millions of customers at risk.

The agreement, which was first announced in February 2013, requires HTC to develop and release software patches to fix vulnerabilities in affected devices. It also obliges the vendor to “establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years”.

Earlier this year, the watchdog said that while HTC had customised the Android, Windows Phone and previously Windows Mobile software used in its devices in order to differentiate, it “failed to employ reasonable and appropriate security practices in the design and customisation of the software on its mobile devices”.

This included making changes which “undermined the security protections built into the Android operating system”, with HTCs pre-installed (and non-removable) apps providing a back-door by which third party apps could access a range of device features – including the microphone and location services.

Also noted was the “insecure implementation” of two logging applications – Carrier IQ and HTC Loggers – which saw data transferred via insecure communications methods.

According to the watchdog, more than 18 million devices have been affected by the issue.

The FTC said that this is the first time it has acted against a device maker.