On Friday, the Federal Trade Commission (FTC) announced that it had reached a settlement (PDF) with HTC over notable security holes on its millions of tablets and Android handsets. HTC has now agreed to provide a patch within 30 days and be subject to a security review for the next 20 years.

“Because of the potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm,” the agency wrote in its complaint (PDF).

The agency also alleged that HTC’s user manuals “contained deceptive representations." The FTC said that the Tell HTC application, which lets users report errors to HTC, does not actually allow users to opt out of sharing their location, despite a displayed option to do so.

Among other flaws, HTC’s phones also included a preinstalled HTC custom voice application. The voice vulnerability in particular, according to the FTC, “if exploited, would provide any third-party application access to the device’s microphone, even if the third-party application had not requested permission for that functionality.”

As the agency wrote in its own original complaint: