Android GPS

Please forgive us if Carrier IQ seems to be a constant item in newsreels around the world lately.  However, we think it’s kind of important so we’ll do our best to summarize topics surrounding it as best we can.  If you’re not familiar with what Carrier IQ is or does, check out our own head honcho, Rob Nazarian’s summary here.  In recent news, Android hacker and pro security buff Dan Rosenberg, performed his own inductive study by reverse engineering Carrier IQ’s software.  Here’s what he found:

Dear Internet,

CarrierIQ does a lot of bad things. It’s a potential risk to user privacy, and users should be given the ability to opt out of it.  

But people need to recognize that there’s a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn’t happen).  After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data.  There’s a big difference between “look, it does something when I press a key” and “it’s sending all my keystrokes to the carrier!”.  Based on what I’ve seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes.  Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur.  But all the recent noise on this is mostly unfounded.

There are plenty of reasons to be upset about CIQ, but please don’t jump to conclusions based on incomplete evidence.

Regards,
Dan Rosenberg

So, what about Trevor Eckhart’s video showing off an Evo 3D with Carrier IQ in action?  No one is denying that the software is there obviously, however, according to Jerry Hildenbrand of Android Central and programming guru, “The best we can figure is that HTC has exposed those events to the log while sending it as anonymous metric data to the Carrier IQ app.”  And even then, there’s still no proof or evidence that users’ data is sent anywhere else.

A common theme our readers should understand with all of this, however, is that whether or not Carrier IQ is the particular software of choice on a mobile device, there’s still in fact “something” on our smartphones logging this info.  And though we’d love for carriers and OEM’s to make this obvious up front, it’s not going to go away anytime soon.  It’s simply business.  Most people will just tell you that if you don’t like it, don’t use that particular carrier.  And it’s as simple as that if you think about it.  The problem is we love our smartphones too much to ever give them up for something like this.  In addition, if you’re really serious about removing the software, there’s always the dev community.  You can download a custom ROM like CyanogenMod which will be Carrier IQ free.  if you’re not sure whether or not your device supports Carrier IQ, you can always check out the Voodoo Carrier IQ Detector.  We’d love to hear your opinion on this so feel free to chime away in the comments below.