The Federal Trade Commission said HTC agreed "to develop and release software patches to fix vulnerabilities found in millions of HTC devices."
No financial penalty against the company was announced.
The FTC said it investigated allegations that HTC "failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk."
The settlement requires HTC America "to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years," the statement said.
An FTC complaint filed at the same time as the settlement said HTC, which makes devices using both Microsoft Windows and the Google Android operating systems, made modifications to software which sacrificed security.
In some instances, the complaint said, HTC "undermined the Android operating system's permission-based security model."
The flaws could allow hackers to introduce malware which could "surreptitiously record phone conversations or other sensitive audio, to surreptitiously track a user's physical location, and to perpetrate 'toll fraud,'" a practice of sending text messages in order to collect fees, the FTC said.
The FTC said that malware could also be used to steal financial account numbers or medical information stored on the devices.