On Wednesday, LockerGnome reported recent news that software developed by a company called Carrier IQ was tracking your every move on your Android device, from keystrokes to taps on the screen.
However, today more information has come to light regarding what the software is actually doing. When YouTuber Trevor Eckhart released his video allegedly showing Carrier IQ’s software tracking and logging everything users do on their device and claimed that the company was able to gain access to users’ private communications, people were infuriated (with good reason, of course). We trust our phones and carriers to deliver our messages to their recipients without them being compromised in any way, and the idea that there is software logging everything you do is absolutely horrifying.
Carrier IQ tells a different tale. According to the company, the software “does not record, store or transmit the contents of SMS messages, email, photographs, audio, or video.” Well great, who do we trust, a 25-year-old system administrator or this company that is allegedly recording the actions you perform on your phone?
Luckily, security researchers are siding with Carrier IQ today, disagreeing with the conjecture made from the analysis performed by Eckhart.
“It’s not true,” said Dan Rosenberg, a senior consultant at Virtual Security Research, who stated that the video only shows diagnostic output and at no time suggests that the data is stored or sent back to Carrier IQ. “I’ve reversed engineered the software myself at a fairly good level of detail,” Rosenberg said. “They’re not recording keystroke information, they’re using keystroke events as part of the application.”
Before jumping the gun and saying “Hah! They’re still watching ‘keystroke events’ so they’re still spying on us,” keep in mind that there is a distinct difference between recording keystrokes and listening for keystroke events. All computer programs listen for input events in order to perform an action to respond with. Listening for a button press or a tap to the screen does not mean the software is recording the input and relaying it back to Carrier IQ.
I’ve seen the video in question. What Carrier IQ’s software is doing is the equivalent of what I might do in my own apps. Either the company is using it for debug output to test its software, or it’s solely used to measure performance of the device and send it back to carriers and manufacturers. It’s not invading your privacy; it’s just trying to make your experience better.
Rosenberg said his look at the Carrier IQ program revealed “a complete absence of code” that would indicate key presses were being tracked and recorded or sent over the Internet by the phone.
“It’s just spitting debug messages to the internal Android log service,” said Jon Oberheide, a co-founder of Duo Security. “It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages, or Web browsing session content are being transferred off the device.”
In fact, The Verge reports that the Carrier IQ software can be found in Apple’s iOS devices. However, it is easily disabled and also agrees with what security researchers are saying about the software included on Android devices in that it does not appear to actually send any sort of private information to a remote server.
The initial rumors of what Carrier IQ’s software might have been doing raised plenty of alarms, but for now it looks like those conclusions were premature. I agree with the security researchers, and what’s more, I ask now that everyone have just a little more faith in developers from this point on. Most of them simply want to improve their software and, as a result, your experience using the device.
You can read Carrier IQ’s updated statement regarding this matter for yourself.
Source: LA Times