Carrier IQ Might Not Be Spying on Your Android Device, After All

Carrier IQ Might Not Be Spying on Your Android Device, After AllOn Wednesday, LockerGnome reported recent news that software developed by a company called Carrier IQ was tracking your every move on your Android device, from keystrokes to taps on the screen.

However, today more information has come to light regarding what the software is actually doing. When YouTuber Trevor Eckhart released his video allegedly showing Carrier IQ’s software tracking and logging everything users do on their device and claimed that the company was able to gain access to users’ private communications, people were infuriated (with good reason, of course). We trust our phones and carriers to deliver our messages to their recipients without them being compromised in any way, and the idea that there is software logging everything you do is absolutely horrifying.

Carrier IQ tells a different tale. According to the company, the software “does not record, store or transmit the contents of SMS messages, email, photographs, audio, or video.” Well great, who do we trust, a 25-year-old system administrator or this company that is allegedly recording the actions you perform on your phone?

Luckily, security researchers are siding with Carrier IQ today, disagreeing with the conjecture made from the analysis performed by Eckhart.

“It’s not true,” said Dan Rosenberg, a senior consultant at Virtual Security Research, who stated that the video only shows diagnostic output and at no time suggests that the data is stored or sent back to Carrier IQ. “I’ve reversed engineered the software myself at a fairly good level of detail,” Rosenberg said. “They’re not recording keystroke information, they’re using keystroke events as part of the application.”

Before jumping the gun and saying “Hah! They’re still watching ‘keystroke events’ so they’re still spying on us,” keep in mind that there is a distinct difference between recording keystrokes and listening for keystroke events. All computer programs listen for input events in order to perform an action to respond with. Listening for a button press or a tap to the screen does not mean the software is recording the input and relaying it back to Carrier IQ.

I’ve seen the video in question. What Carrier IQ’s software is doing is the equivalent of what I might do in my own apps. Either the company is using it for debug output to test its software, or it’s solely used to measure performance of the device and send it back to carriers and manufacturers. It’s not invading your privacy; it’s just trying to make your experience better.

Rosenberg said his look at the Carrier IQ program revealed “a complete absence of code” that would indicate key presses were being tracked and recorded or sent over the Internet by the phone.

“It’s just spitting debug messages to the internal Android log service,” said Jon Oberheide, a co-founder of Duo Security. “It appears that Carrier IQ is indeed collecting some metrics, but I have not seen any evidence that keystrokes, SMS messages, or Web browsing session content are being transferred off the device.”

In fact, The Verge reports that the Carrier IQ software can be found in Apple’s iOS devices. However, it is easily disabled and also agrees with what security researchers are saying about the software included on Android devices in that it does not appear to actually send any sort of private information to a remote server.

The initial rumors of what Carrier IQ’s software might have been doing raised plenty of alarms, but for now it looks like those conclusions were premature. I agree with the security researchers, and what’s more, I ask now that everyone have just a little more faith in developers from this point on. Most of them simply want to improve their software and, as a result, your experience using the device.

You can read Carrier IQ’s updated statement regarding this matter for yourself.

Source: LA Times

Article Written by

  • Yakov Medved

    A perfect example of what “going viral” means…. No corroboration from competent experts, a conclusion stated as fact and a deep mistrust coupled with an unwillingness to listen to other points of view….

    • Poppa

      Actually, I’m more than willing to listen to all points of view.  However, having twice been the victim of identity fraud, I’m pretty much always going to make decisions based on what I FEEL is the POTENTIAL for harm or misuse.   Having removed the software from my Droid, there is ZERO potential for misuse from that quarter.  Therefore, regardless of Carrier IQ’s motives, altruistic or otherwise, I am not at risk.  At least from that piece of code.

    • Poppa

      Actually, I’m more than willing to listen to all points of view.  However, having twice been the victim of identity fraud, I’m pretty much always going to make decisions based on what I FEEL is the POTENTIAL for harm or misuse.   Having removed the software from my Droid, there is ZERO potential for misuse from that quarter.  Therefore, regardless of Carrier IQ’s motives, altruistic or otherwise, I am not at risk.  At least from that piece of code.

  • Yakov Medved

    A perfect example of what “going viral” means…. No corroboration from competent experts, a conclusion stated as fact and a deep mistrust coupled with an unwillingness to listen to other points of view….

  • Poppa

    Regardless of it’s intent, the potential for mmususe is enormus.  Additionaally, IF everything is so legitimate, then why has the company taken such pains to make it invisible?  In most instillations it does not even show up in the running processess, and IF you manage to find it it blocks a forced close!

    Luckily Carrier IQ is easily removed from your droid.   XDADevelopers forum (google it) has a free app that will tell you if it’s on your phone, and the pro license ($1) will remove it from your device.

    I DO know that once removed my I897 Captivate reuns considerably faster, and the battery lasts a lot longer!

    • anonymous

      I agree. Even if it is a “false alarm” so to speak, the fact of the matter remains – smartphones are storing more and more private information and will be used for purchases, etc. and it is VERY possible an app can hide as Carrier IQ and is capable of collecting and sending that information. 

      Maybe this version of Carrier IQ is not transmitting the information, but whose to say a future version won’t or another app is created that does? And when they do, companies will protect themselves with their lengthy legal documents and privacy policies. How many people actually read the all of the license and privacy agreements which seem to be like 10+ pages long before agreeing to it and installing or using applications and signing up for accounts and so on? So, how hard will it be for companies to insert a bit of text that allows such a thing with the guise of it being to help them determine “networking” issues. 

    • anonymous

      I agree. Even if it is a “false alarm” so to speak, the fact of the matter remains – smartphones are storing more and more private information and will be used for purchases, etc. and it is VERY possible an app can hide as Carrier IQ and is capable of collecting and sending that information. 

      Maybe this version of Carrier IQ is not transmitting the information, but whose to say a future version won’t or another app is created that does? And when they do, companies will protect themselves with their lengthy legal documents and privacy policies. How many people actually read the all of the license and privacy agreements which seem to be like 10+ pages long before agreeing to it and installing or using applications and signing up for accounts and so on? So, how hard will it be for companies to insert a bit of text that allows such a thing with the guise of it being to help them determine “networking” issues. 

    • Trendyviews

      They (XDADevelopers) are now charging $1.49 instead of a $1 now. Greed is where Karma will turn around and bite them. There should not be a charge for this app in the first place. Users should be able to disable on their own.

      • Poppa

        So, you don’t feel that the developer of this app deserves a measly buck and a half for all the hours he’s put into researching, developing, testing,  and compiling an app that’s capable of removing this piece of spyware from phones manufactured by Samsung, HTC, and many other manufactures?!?!?

        AND, it should be noted that the footprint, and process names for this infection varies from one phone manufacturer to another.

        How many hours a day do YOU work for free???

        And let’s not forget that the app to check your phone for CIQ’s existance on your phone is free… The paid app is simply for the removal license.

      • Poppa

        So, you don’t feel that the developer of this app deserves a measly buck and a half for all the hours he’s put into researching, developing, testing,  and compiling an app that’s capable of removing this piece of spyware from phones manufactured by Samsung, HTC, and many other manufactures?!?!?

        AND, it should be noted that the footprint, and process names for this infection varies from one phone manufacturer to another.

        How many hours a day do YOU work for free???

        And let’s not forget that the app to check your phone for CIQ’s existance on your phone is free… The paid app is simply for the removal license.

    • Trendyviews

      They (XDADevelopers) are now charging $1.49 instead of a $1 now. Greed is where Karma will turn around and bite them. There should not be a charge for this app in the first place. Users should be able to disable on their own.

  • Poppa

    Regardless of it’s intent, the potential for mmususe is enormus.  Additionaally, IF everything is so legitimate, then why has the company taken such pains to make it invisible?  In most instillations it does not even show up in the running processess, and IF you manage to find it it blocks a forced close!

    Luckily Carrier IQ is easily removed from your droid.   XDADevelopers forum (google it) has a free app that will tell you if it’s on your phone, and the pro license ($1) will remove it from your device.

    I DO know that once removed my I897 Captivate reuns considerably faster, and the battery lasts a lot longer!

  • Zach

    There are 2 schools of though when it comes to potential spyware.
    1.)I don’t mind what they log as long as they don’t appear to be using it for evil (at this time).
    2.)I will not rely that my info will not be used for evil today, you will not get it to begin with.  I will not have to deal with the question of your intentions today or tomorrow.

    I belong to the second school.

    • Poppa

      Looks like we share a locker! :o)

    • Poppa

      Looks like we share a locker! :o)

  • Zach

    There are 2 schools of though when it comes to potential spyware.
    1.)I don’t mind what they log as long as they don’t appear to be using it for evil (at this time).
    2.)I will not rely that my info will not be used for evil today, you will not get it to begin with.  I will not have to deal with the question of your intentions today or tomorrow.

    I belong to the second school.

  • http://www.oddblogger.com Abhi Balani

    Thanks, atleast you corrected your previous post about carrier IQ

  • http://www.oddblogger.com Abhi Balani

    Thanks, atleast you corrected your previous post about carrier IQ

  • Intocad

    ” Either the company is using it for debug output to test its software, or it’s solely used to measure performance of the device and send it back to carriers and manufacturers. It’s not invading your privacy; it’s just trying to make your experience better. ”
    So does this mean I take a hit against my data usage? I don’t think that’s fair at all. I its already near impossible to account for data usage as it is, I am getting charged for every bit, byte and word I am sending and receiving I would prefer I have total control over what data is coming or going.