29
Nov
carrierIQ
Last Updated: January 17th, 2012

Lately, we've talked a lot about Carrier IQ, the "service" that hides itself in the background of an unknown number of Android devices, harvesting information and sending it back to carriers. While it's still unclear how deep the rabbit hole actually goes, the dev who discovered it, TrevE, is still digging in search of the answer. His latest findings may shine a bit of light on the subject, and I can promise you one thing: it's not pretty.

CIQ's Cloak of Invisibility

If you want to build an app that is designed to harvest the data of unknowing customers, there's a good chance that it's going to be well-hidden. So well hidden, in fact, that there's no clear way to detect it, get rid of it, or even shut it down. All of these things are true for CIQ - you'll find very few traces of its existence in the smartphones in which it inhabits. When you do find it, however, there's no way to kill it.

iqrd iqrdpermissions1 iqrdpermissions2

Carrier IQ and its ten thousand permissions.

A little backstory is in order here - these screenshots were taken by TrevE on his stock, unrooted EVO 3D. You can see that the device is in airplane mode, and no accounts were set to sync. This service was running right out of the gate, from the second he booted the device up.

So, what do you think happens when you tap that little Force stop box? I can answer that for you - nothing. That's right, the app won't die. Doesn't matter if you hit that button one time or fifty, it does nothing. Not only that, but take a look at that icon - very inconspicuous and generic, wouldn't you say? A large portion of users would just scroll right past that snake-in-the-grass and never give it a second thought. Shady, shady stuff.

This is just the tip of the iceberg, though - turns out that CIQ is embedded so deeply into the devices that it inhabits, there is no way to get rid of it unless the entire OS is recompiled from scratch. This includes the kernel, the OS, and any customizations made to stock Android. In other words, this is impossible to remove from a stock ROM, even with root access. It's a figurative hydra, and severing only one head doesn't even phase it.

To give you a better idea of how integrated CIQ is into the very soul of the device, I strongly urge you to watch this entire video from Trev. It's a bit on the lengthy side, but it's well worth it.

An app that's well hidden? Check. Harvesting data without the users' knowledge? Check. Embedded so deeply within the root of the device that it's nearly irremovable? Check. Sounds like we have all of the qualifications of a full-fledged rootkit - one of the absolute worst types of spyware imaginable.

So, what does HTC say about all this? Typical it's not us! crap.

It is also important to note that the phones we build are a compilation of not only software and services from HTC, but also from third parties. These third-party applications and services, such as Carrier IQ (CIQ) and Google Check-in, serve to further improve the customer experience and have their own privacy policies. We encourage consumers to understand the specific policies of any application or service that is enabled on their device.

In all fairness, I will say that CIQ is not exclusive to HTC devices, it just so happens that this was the type of device used when CIQ was first found. That doesn't make them innocent by any stretch of the imagination, though - they have their own IQagent app bundled in, as well. It appears that this is HTC's "helper" app to CIQ, as it doesn't require any permissions of its own.

iqagentmain

Oh, looky there - an About box! Great! You know what it tells us about the app? Nothing. It's blank. Way to go, HTC.

HTTPS? Nothing Is Safe From Carrier IQ

For those unaware, the S in HTTPS stands for secure. It's what keep your passwords and other sensitive data safe when sent across the web. It's provides encryption for said information, so whilst it's traveling through the airwaves, it's safe and snuggly, away from the awful people who want to steal your info.

Just because a website is using a secure connection doesn't mean it's one-hundred percent safe from end-to-end, though. You see, some information, including usernames and passwords, can still be sent plain text. For example, the username and password can be used in the address of the site, like www.mysite.com?username=MYNAME&password=MYPASS (Trev's example). Sure, it's encrypted while going down the tunnel, but guess who gets to see the raw link? Did you guess Carrier IQ? If so, go get yourself a cookie. You earned it.

Devices Without a Cellular Network Aren't Safe, Either

Let's think about the name of this thing for a minute - Carrier IQ. So, it's probably safe to say that this is all about the carriers, right? If that were true, then why would CIQ remain active once a device no longer has carrier service?

Let me back up for one second, CIQ claims that its services are stopped the second the SIM card is removed from the device, which is all fine and dandy... if you're on a GSM network. Those of us on CDMA networks aren't so lucky, though, because we don't use SIM cards. Thus, even when a device is deactivated from its network, it continues to send data back to the carrier, CIQ, and whoever else whenever you're on a Wi-Fi connection. Great.

So, What Does This All Mean?

It means there is some shady business going on in our world. It's right under our noses, yet we can do nothing about. The bottom line is this: our data is being stolen - there is no choice, we have no say. Any decent service would, at the very least, provide an opt-out, but not CIQ.

The information that I send across my cellular network, including SMS, email, websites I visit, all of that - it's mine. If I want to share this information with my carrier, then they damn well better ask me for it.

What's going on right now is an outrage - carriers have no business prying into our lives this way. I don't hold the carriers solely responsible for this, however, Carrier IQ is just as responsible (if not more) for creating a mandatory rootkit that is to be placed on our devices before we buy them.

For a more in-depth look at the entire picture, take a look at this post from TrevE. You'll find that he's done an excellent job of leaving no stone unturned.

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, musician, and cyclist. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6-string, spinning on the streets, or watching The Texas Chainsaw Massacre on repeat.

  • matt

    get the pitchforks. this stuff has to be stopped.

    • Nocturnhabeo

      alert the rooters and the hackers we must have access to get rid of this

  • JCopernicus

    "The bottom line is this: our data is being stolen - there is no choice, we have no say. "

    Yes, you have a choice.

    Stop supporting carrier subsidies.

    • Mike

      Carrier subsidies has no bearing on this. If there were full disclosure and the option to buy a non-subsidized version of this phone without those pre-installed apps, then I might understand. However, there is neither.

      • JCopernicus

        Who do think is the one putting this software on phones? It's in the name of the application in question.

        Phones are built to spec by carriers, carriers who then subsidize the phone.

        • modplan

          Yes but you cannot walk into your Verizon store and buy a Droid Razr without subsidy and get it without CIQ. Nor could you order it direct from Moto without CIQ. So your suggestion makes no sense, unless all you meant was a Nexus device.

    • modplan

      There is also no evidence that this info is being sent anywhere (that I know of). It is simply logged to the system log, which on an active phone is cleared multiple times a minute.

  • Craig Rachel

    Google should probably look at this and consider revoking Android Market/Google Apps from carriers/OEMs doing this but in the meantime, stop buying carrier subsidized phones.

    • Joe

      You don't really think Goog is absolved from acts of this kind, do you?

  • ocdtrekkie

    My Droid 3 has several apps with that icon. I am guessing it's just a generic icon for Android service apps to use.

    Contacts Sync
    ContactsData
    Fake Blur Xmpp
    HSTcmd
    MOTOBLUR Indexing Service
    Motorola Services
    Motorola Storage Monitor
    Social Messaging Service
    Suggestions Core RuleChecker Service
    Suggestions Poll Scheduler Service

    There's some apps on my phone without icons which are pretty suspicious though: Data Collection for example, has a massive list of permissions as well.

    • Cameron Summerson

      Exactly. It's a generic icon, making this already-shady app even more so.

      • ocdtrekkie

        I don't think that makes it any more or less shady. As something that never appears on your device's screen... why bother making an icon for it? Are you looking for some villainous-looking icon which shows your data being sucked into a wormhole? :P

        I just don't see it as something that makes it more or less shady than it is. If using a generic icon is shady, I should be real scared of that Motorola Storage Monitor! It could be telling people how much space is left on my SD card *gasp*!

        Also... a lot of this data your carrier either already knows about you, or could easily intercept network side. I'm paying them for sending this information over their pipes, I kind of assume they have access to it. This won't keep me from sleeping at night.

        • Nocturnhabeo

          not https and not if you are on your home network

  • Francesco

    Thank you CIQ for taking away our privacy! This is unacceptable, if it were just HTC I would never again buy one of their phones. But I guess the only way to be safe is to use some AOSP rom...so sad our privacy is being taken away from us like that!

    • Nocturnhabeo

      you can use a modded stock rom that has been recompiled

      • Simon Belmont

        Exactly. I switched to a modded stock ROM on my Sprint HTC EVO 3D the minute I got it.

        Same thing with my wife's Sprint HTC EVO 4G and my old Sprint HTC Hero. Thank God for the development community, as they are watching our (and their own) backs.

  • skitchbeatz

    ridiculous. Any idea of the devices this comes shipped on?

    • http://twitter.com/GazaIan Ian Stephenson

      All of them. Every single device. It's on stock ROMs, but if you flash another ROM it'll be gone.

      • http://dubqnp.dk dubqnp

        in america? I don't see it here in europe.

  • http://www.thenolands.com chris Noland

    Cameron there are actually a few others that support this functionality (handset Agents) of gathering handset based data. It historically was only location and RF power but as users are demanding more from data services I am guessing it has driven them to gather more data... but passwords...that is a way over the top.

    Also this software would be deployed on all the handsets at a carrier and has been used for a few years. I am guessing it was just easier to find with Android

  • http://www.slipshft.com Slipshft

    It's on the HTC EVO 4G. Nice that they disclosed this when they sold me the phone... now I have to go back and look at the contract to see if they did or did not disclose this type of data collection. I smell a class action lawsuit.

    • http://thekeepsakes.bandcamp.com Anthony

      Let us know if it's in there!

  • Nich

    yes i would like to see a list of devices that this comes on . my niece and nephew are getting smart phones to add to their family plan . i definitely want to steer them clear of phones with this software .

    another question . do you think that part of the long wait to get carriers to upgrade to gingerbread is due to waiting for ciq to rewrite this software to the new kernel and the carriers having to wait their turn for ciq to add it to their source tree ??

    -Nich

    • Nocturnhabeo

      probably all of them but you should just root the device the second you get it so you don't have to worry. You get better support if you do as well.

  • http://thekeepsakes.bandcamp.com Anthony

    Is there a list of phones that don't have CIQ or god knows what else is on our phones mining all of this data? Are you safer buying an unlocked phone (carrier free)? I remember reading a WSJ article about phone use, saying that the data had determined it was possible to estimate someones exact location on any given day to a 90% degree of accuracy. The researches also said it was possible to determine the persons mood by how they were using their phone, who they were talking too. Sure, there were some opt in people using a specifically designed app, but were they possibly buying further data from the carriers use of CIQ? It's terrifying. No anonymity.

    Here is the article

    http://online.wsj.com/article/SB10001424052748704547604576263261679848814.html

  • modplan

    First, as an Android Developer by night and Software Engineer by day, I can say this is being blown out of proportion A LITTLE. This is not new, over the past 2 years I have spent a LOT of time staring at Logcats and this info has always been there, since I have been using Android, on every device I have used. Also, logcat logs are rolling. Meaning, once they get to a certain size, the info from the beginning is deleted to make room for new info at the end. On an active android phone, the entire logcat could be replaced in as little as 30 seconds, on an inactive phone, a few minutes, maybe longer.

    It is also worth noting that TrevE does not understand HTTPS. HTTPS encrypts the packets using a public/private key infrastructure to prevent prying eyes IN BETWEEN your device and the destination server from being able to see the contents of the packets. It does not, never has, and never will, encrypt strings IN THE URL. So that entire section of his video is just plain wrong.

    -Is CIQ bad? Probably not. The info is likely used for debugging and just general record keeping.
    -Could the info be used maliciously if it falls into the wrong hands? YES.
    -Should the info be logged to the standard log? Probably Not.
    -Are CIQ, HTC, Verizon, etc going to be sitting at a computer reading all of your SMS messages? Come on.

    Should we have been told about this and given a privacy policy? YES! That is the real issue here, not the logging. The logging has been around since Android began, and all Android developers knew about it.

    What other devices does CIQ come on? Virtually every Android device, many Blackberries, and the iPhone probably has its own equivalent.

    I appreciate TrevE trying to get the information out and expose this, as it SHOULD NOT be hidden. But his blatant misunderstanding of HTTPS has me questioning his background quite a bit as this is taught in High School level computer science courses.

    Lower the pitchforks a tad guys.

    • modplan

      It's also worth noting that there is no evidence this info is being sent ANYWHERE. It logs YOUR actions on YOUR device, and then the log rolls over a few seconds or minutes later and the info is no longer being stored on your device.

      Evidence of all this info being sent somewhere would be damning for CIQ, but there is no evidence of that.

      Can we please remove our tin foil hats now?

      • Jim

        I don't know that they are sending all of it, but they're certainly sending some of it. I'd just like some clarification on exactly what they are collecting, and exactly what they are sending. Until then, the tin foil hat stays on.

        • modplan

          Again, there is no evidence of them sending any private info anywhere. A privacy policy is really what we need to know what they are sending and how they are using the data.

          THAT is the problem, no PRIVACY POLICY. Nothing else TrevE showed is new, out of the ordinary, or harmful to your privacy.

        • Jim

          From the Carrier IQ media alert at

          http://www.carrieriq.com/Media_Alert_User_Experience_Matters_11_16_11.pdf

          "Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and
          networks ... We do this by counting and measuring operational information in mobile devices ... This information is used by our customers ..."

          They are collecting information which _is_ used by their customers (the carriers). If the data, whatever it is, isn't being sent, then how are their customers getting the information? Thus my original questions - what are they logging, and what part of the logs are being passed along?

    • Don’tBelieveThePropaganda

      modplan,

      You would have us believe, the effort involved here to collect significant amounts of data is being done "just in case it's needed" and is not being used by carriers?

      Having reached this stage of life, I have yet to see such effort expended without an expectation of ROI. Isn't that right?

      • modplan

        The carriers have your SMS messages. They can see the sites you visit on their network. Why would they care if you press the home button?

        It is being used, of course, but CIQ creates products designed to help manufacturers make your ROM better, and carriers improve your service. But what TrevE showed was log data. Every app puts info in the logs. All of them, including your kernel, which CIQ (apparently) is a part of. My OWN apps that I develop, write to the log when you press a button in the app, scroll up and down lists, press the menu button, etc.

        Log data does not equal sent data.

        But suppose for a minute, they WERE sending everything that is logged. What info is it giving that the carriers do not already have? TrevE does not understand HTTPS, so that entire section of his argument is just blatantly wrong. They now know you pressed the home button? Who cares? CIQ is designed, based on their own words, to aggregate and analyze the data that the carriers and manufacturers could ALREADY get if they wanted it. The problem, again is NOT what they are doing, but that they try to HIDE it and dont provide a PRIVACY POLICY.

        • Cameron Summerson

          If they don't care when you press the home button, then why does every action have to go through CIQ first?

        • modplan

          Cameron,

          Ok, here it goes. According to the above article, CIQ is integrated into the kernel. The kernel is the software that sits beneath the ROM, controlling the hardware (like buttons). CIQ claims that a large portion of their software's value is during phone DEVELOPMENT. Meaning, a dev is sitting at a computer, much like TrevE here, pressing all the buttons and reading the log during development, to ensure things are working correctly.

          CIQ is not some app that is just installed after the phone's ROM is made, its PART of the ROM AND Kernel to aid in its development and reduce bugs. These log statements, are simply a byproduct of that (if you take CIQs description of their software from their website, at face value) as occurs in all software.

          An example, in the system log on my Mac, I see entries from Thunderbird providing details on every email I send and receive, including the one that just arrived, notifying me of your comment ;)

        • modplan

          Cameron,

          A quote from CIQs website describing their product shows why things are running "through" CIQ. As a software engineer I can tell you that finding bugs is HARD. I write for enterprise server systems and when we have a customer that hits a kernel panic or a major bug, we have them take a core dump and send it to us. It takes them about an hour to dump it, its about 3GB, and can take a team of engineers a week to go through it and find the issue. Honestly, something like CIQ for the systems I work on, to automatically send this data, aggregate it, analyze it, and then spit out a report, would make the lives of our engineers, our customers, and finding bugs we do not even know exist, about a million times easier.

          Here's the quote:
          "This actionable intelligence enables you to identify, classify and resolve complex and intermittent issues that frequently occur in pre-deployment stages of development. After deployment, Device Analyzer continues to enable you to visualize sequences end-to-end, drill down to root causes, identify patterns of failures, and automatically get details from the device when an error is detected or a user reports an issue during the life of the device."

    • Modplaniswrong

      read this modplan, you are wrong
      https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
      common question we hear is “Can parameters be safely passed in URLs to secure web sites? ” The question often arises after a customer has looked at an HTTPS request in HttpWatch and wondered who else can see this data.
      For example, let’s pretend to pass a password in a query string parameter using the following secure URL:
      https://www.httpwatch.com/?password=mypassword
      HttpWatch is able to show the contents of a secure request because it is integrated with the browser and can view the data before it is encrypted by the SSL connection used for HTTPS requests:

      If you look in a network sniffer, like Network Monitor, at the same request you would just see the encrypted data going backwards and forwards. No URLs, headers or content is visible in the packet trace::

  • AppleFUD

    Carrier IQ = best ad/reason to buy an iphone yet.

    To all manufacturers putting this on their devices. . . . .
    YGTBFKM!!!

    • modplan

      All Android manufacturers and carriers use it. Even Blackberries. You don't think iPhone has an equivalent? It is a system used to help the phone manufacturer make the ROM better and to help the Carrier improve their network.
      All smart phones have it, or something similar. With the only notable exception probably being Nexus devices.

      • Don’tBelieveThePropaganda

        If this data is not being sent to recipients how is it of any value to said carrier for network improvement?

        • modplan

          Info is being sent. Info designed to help the carriers improve their network and phone manufacturers make better ROMs.

          Is private info being sent? Who knows.

          TrevE showed that YOUR actions are logged on YOUR phone for seconds or minutes. Nothing more, nothing less.

          We need a PRIVACY POLICY from CIQ to know what information they are sending and how exactly it is used. Until then, what TrevE showed is something that either he himself does not understand, or that he knows others will not understand, in an effort to get CIQ to open up by getting bad press.

          I'm betting on the former, since he lacks the basic knowledge of HTTPS, I doubt he understands the inter-workings of Android development, but regardless, if it gets CIQ to open up, its a GOOD THING.

          But for now, no one but CIQ and their customers know what is actually sent, and I honestly doubt they are "spying" on you. Rather, giving their customers (carriers and phone makers) the non-private data they pay for, in order to make the services we love BETTER!!

        • drksilenc

          modplan i h8 to break it to you but 9/10 of the stuff u have posted in this is absolute drivel and just plain wrong. yes the log shows key presses for all apps but not what keys unless its the 4 primary buttons or any physical buttons. This program records ALL keypress including soft keyboards.

  • http://www.slipshft.com Slipshft

    If you look at the permissions of the IQRD app, that will explain a lot of what they can do and what information they can collect. If you read the PDF the Carrier IQ put out: "The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities." They are transmitting information, and they cannot count or summarize information without the underlying data. So, really this is a big deal. Sure, I can say I am not gathering the data, and I would until you can prove that I am actually gathering that data. Be realistic, they are capturing data on every cell phone user out there, not just carriers, but Carrier IQ themselves. How much trust will you give them with your personal information? If they can make money with it, they will find a way to do it.

    • modplan

      They are transmitting information. But what information? Their product description on their website states they capture and send information. Information they say helps make better phones and better networks. They aren't hiding what their business is.

      But what information are they sending? What personal information? Is it error reports and signal stength or is it more than that? What TrevE posted means nothing, if they REALLY had something to hide that they were sending, they WOULDNT LOG IT. They could be sending all the info they log, they could be sending none of it. TrevE's findings are moot though, this has been KNOWN by anyone that has ever looked at a log for more than 5 minutes.

      What we do NOT know, is what they are sending. We know that they are logging, but logging means NOTHING. We need a privacy policy to know what they are sending.
      Again, what personal information that your carrier does not already have? It states right there in your post they store it in their CUSTOMERS (carriers, phone makers) servers, or their own servers that the carriers and phone makers approve of, that are audited.

      This is NOT a big deal, until it is found they are sending ANYTHING they should not be sending (something more than, location, signal strength, crash reports).

      What IS a big deal, is that they have not told us what they are sending.

      • Jim

        "What IS a big deal, is that they have not told us what they are sending."

        In 100% agreement.

        To be balanced - Carriers can assemble quite a bit of information about how we use our devices and of many of the problems we might encounter based on the operational traffic which passes through their system (SMS messages, web pages requested, calls placed, handset location. etc). The point being that they could go a long way without CIQ's software. But what they can't catch server side are software issues. Where they might be able to determine that an application or the handset itself has crashed via passive data mining, a handset based log could go a long way to help determine why something force-closed or rebooted. This kind of information could be most valuable in determining the need for software patches, and to know what the source of any problems might be.

        That said, there certainly could be a legitimate need for such software on a handset. But as mentioned before, I see no reason why CIQ shouldn’t be able to explicitly detail exactly what is being sent. Until they do I reserve the right to regard their software with some degree of suspicion.

  • Lois

    I'm not sure whether anyone has pointed this out yet, but Google headquarters is less than 2.5 miles from Caller IQ headquarters. They are both located in Mountain View California. It may just be a coincidence... Who knows how many headquarters are in Mountain View. The one thing that bugs me is the fact that on TrevE's videos he talks about how encrypted data is no longer encrypted, something about HTTPS and all that. I'm not super savvy on geek speak, but hopefully you get my drift. My point is that from what I understand about encryption, you need a key, or code or something to break the encryption. What better way to unencrypted google secure sites and servers, than to go right to the source? Heck, a rep from CIQ can walk right into the google building on a lunch break. And who better to monitor and search massive amounts of data than the largest search engine in the world? This may turn out to be nothing at all, or even a red herring, who knows, but it seems strange that one company is able to de-encrypt another's encrypted information, especially one that is right down the street.

  • Joel

    Root + CM7 or MIUI FTW!

  • Steve

    Just for the record you have stated that it is in many phones. What you failed to do is realize that long before this it was discovered many months ago by K0nane when he made his first or second ACSyndicate rom frozen.....and oh yea, its been removed....so on sammy devices at least you need to note K0nane has removed this many times on a few phones already. Homework, you must do homework before posting such articles. Thank you for the article though.

  • Josh

    After reading the article, watching the video, and reading the comments, I have two things to say.

    #1. Yes, CIQ needs a privacy policy that comprehensively lays out what info of ours is sent to carriers.

    #2. Whatever you're doing with your phones that would make you truly worry about this is very likely something you should be ashamed of or arrested for anyways. =)

    • Kes

      Flirting with my boyfriend is something I'm not ashamed of, but at the same time, I don't want CIQ to know about it either.

    • Heath

      "Whatever you're doing with your phones that would make you truly worry about this is very likely something you should be ashamed of or arrested for anyways"

      That argument is rubbish.

      so I guess 1984 isn't soooo bad ;)

  • http://www.subgenius.com Chris

    modplan.

    Please if you are going to be an apologist for these Tools, at least be more informed on the technology.

    -Cmoockery

  • Simon Belmont

    The fact of the matter is that there needs to be transparency on what is being sent. That and they need to let the user opt out of it.

    You can collect stats, CIQ, but recording my keystrokes, reading my SMS' and emails, and reporting my GPS location is going too far. I am a software engineer and app developer, myself, and I respect stats collecting, but not when the user is uninformed as to what is being sent, and if there is a chance of it not being on a secure connection.

  • http://radiodeadair.com Nash

    Google really needs to get on top of this. The privacy issue was a big deal for iOS, and it's a big deal here, too. This is a potential PR nightmare.

    Consumers are by and large dumb as bricks. If just one hears, "Oh, so and so said Android phones track everything you do," that's a lost sale. And they are all too happy to repeat the pseudo-fact without any inclination to look into it deeper.

    Google needs to address this; Carrier IQ needs to be opt-in, and carriers should be held to account. Otherwise this could badly damage the Android brand, and I would be very pissed off as a promoter and user of Android.

  • DOGG

    People JUST HACK your phones or flash them with ROM that do not have this "app"...

  • The Truth Squad

    Gee, I wonder how the carriers know if you have used an app to create a hot spot without paying them $30 a month? How could they possible know you had downloaded Wifi Teather and are using it to connect your tablet or your laptop?
    How about using this app to tell your wife who you are texting, for a fee, of course. Can you imagine what they could have blackmailed Tiger for what was in his phone? Maybe they should put this on the Market and make a killing with it. The possibilities are endless.

    • Dan

      well.. and the S in SSL stands for secure.. so the S in https stands for secure, too ;)

  • enness

    So they say, "We encourage consumers to understand the specific policies of any application or service that is enabled on their device." And how the hell is anyone supposed to do that if it's hidden?

  • Jboss

    I agree 100% with every line written by MODPLAN! I can read these threads and go down the line and pick out the developers from the non-developers.

    There is no difference between what CIQ is and what you see when your Windoze/*NIX/Mac device cores and asks you if you would like to send this information or displays the blue screen if death.

    As a developer, we need *something* to debug issues, a simple "I clicked on X, then Y, then Z" doesn't cut it in terms of drilling down and finding the problem.

    For those that watched the video, the "com.x.y.z.ciq" in the logs means absolutely nothing accept the fully qualified name of the class file. The naming convention is your URL in reverse order starting from very generic "com" providing more detailed hierarchical info with each "."

    As for the HTTPS comments, anything on the URL is NOT encrypted, that is like saying all if the addresses on snail mail are encrypted. Its what is inside if the envelope that matters! And if you are ever on a website that tosses the username and password as URL parameters, run for the hills, cuz there isn't a snowballs chance in h*** at protecting that. Ex: https://stupid.com?username=bad&password=juju there us NOTHING that can be done to make that call safe!

    +1 on the privacy agreement, etc... But I can't imagine something so obviously germaine to software development could just be flipped off, not sure that I would want it to be, every phone/app you get would be in an alpha state.

    And to all the beloved iPhone folks, guess what the same thing exists on the iPhone, it is just buried even deeper in the bowels of the OS and doesn't have an associated scary video yet.

    • Lois

      Thank you Jboss, for clarifying some things. I'm not a programmer, and am just now learning what Android is capable of after a year of owning an android device (and only using it to make calls). I watch videos like these and immediately i start thinking 'crap! That guy says this is bad!! Is that bad? What's he doing with that computer?? I don't know what he's talking about, but it sounds ominous!'.
      Unfortunately, I tend to take these technical videos at face value because I simply don't know enough about the technology to know different. I think most people do.
      This is the reason I recently started reading as much about technology as possible. I may not be able to understand half of the content on these types of sites, but I'm learning, and clarification is super helpful for technidiots like myself. Much appreciated!

    • drksilenc

      Jboss im glad u changed from modplan account to back yourself up.
      THERE IS A DIFFERENCE. without carrier iq installed logcat does NOT reference all the keystrokes in the log. I can post logs from several different models of phones that have and then then have had carrier iq removed from the device. Also your breakdown of https is wrong as well. https is contained in browser and should not be able to be read by anything outside of that browsers sandboxed enviroment. when you go to a https url the text changes from plain text to whatever encrytion the page uses. carrier iq reads the key input at root level and basically intercepts that data. thats the only reason it is read at plain text lvls.

    • http://dubqnp.dk dubqnp

      If it is so normal, then why make it hidden?

  • Noreen

    TrevE's discoveries of Carrier IQ have certainly made the news. It seems that it was only a matter of time before this was discovered and revealed on a grand scale. How could Carrier IQ, the manufacturers, service providers and even Google not see this coming? There's plenty of explanations and changes forthcoming to such types of data harvesting applications, especially of this type, mostly from Carrier IQ and other companies like them, but also from all parties involved.

    Customers have a right to the disclosures that should have been provided. And was it necessary to go so far and harvest so much data? The fact that so much has been embedded, not explained up front, and given options to force close that does not even work, nor to accept or decline any kind of app with permissions spells out that something suspicious maybe or is happening. (After all this was not something that a customer could even choose to download from an app market. It came installed in the product.)

    Now whether or not this is helpful ware or spy ware is certainly not concluded, yet. I do indeed appreciate and love, yes, I'll say, I love my android cellphone. I wouldn't want to see it hurt in any way, shape or form. It's an amazing product, and I hope that it will continue to grow and excel, especially with its android open source projects of many kinds.

  • nm

    the s in https stands for ssl not secure

    also for more secret android rootkits capable of much more you should check out the defcon 19 vid archive, theres a great talk in there

  • ad

    Recently I was fired. Data mining and iq. Essentially we compiled individual user information and all activity is kept and recorded. Impossible, fine, think what you will. This definitely won't get my job back. The only way around it is cease using mobile phones. Who is going to do that? Furthermore, online is all tracked as well and linking online user profiling activity with cell activity is gaining momentum. Development is even beginning to separate and profile different users of the same phone. Voice prints and location are virtually perfected, unless you speak a broken dialect, that's tricky. Legally there is nothing you can do, read the patriot act and terms of use/user agreements you concede to daily. The two chief concerns are 1) ease of exigent information for government officials 2) to influence what you purchase...so don't break the law and regarding target marketing you'd probably buy it anyway. We have harvesting perfected, compiling data is easy, profiling it and making it quickly and easily accessible is another thing especially when you have some ass hole upset you can't the pinpoint the specific bill smith they gave an information order on and want it in 60 seconds. since i didn't type this and i didn't divulge sensitive critical confidential information because everyone already knows i didnt violate our gag agreement keep sending my severance checks. thanks. and to all you are seeking the truth you found it but there isnt anything you can do.

  • Bill

    Checked my Motorola Droid HD (Verizon) and it does not have (or can not detect)

    Carrier IQ

Quantcast