“When it rains, it pours.”
Indeed, the Android market has yet another security/privacy mar. Just yesterday I blogged about Android security flaws due to certain manufactures failing to effectuate one or more of Android’s permission-based security models. And today, I’m sharing yet another recently discovered problem; and it’s not 100% clear whether this problem stems from Manufacturers, Service Providers, or both. Nonetheless, this problem has been found on smartphones from HTC, Blackberry, Nokia, and others, and is clearly designed to send your sensitive information to your Carrier, such as Sprint, T-Mobile, AT&T, etc.
The problem here is a small, kernel-based application known as “Carrier IQ” (or “CIQ”) that can (or does?) record every text message, Google search, and phone number typed on smart phones, and surreptitiously report this data to your mobile phone carrier. It was designed by the company: Carrier IQ.
Trevor Eckhart (“TrevE”), a security researcher, posted a youtube video in which he provides specific details evidencing this hidden software installed on an HTC Evo 4G smartphone, and shows step-by-step how it logs user locations and actions, such as key-strokes; and intercepts user communications from text messages and Internet browsing traffic. As also shown, the existence of CIQ is cryptically hidden, and attempts to manually disable it are ineffective. Of particular concern is the fact that HTTPS communications, which are supposed to be encrypted and readable only by you (the source) and another site (the destination; e.g., your bank), are not only logged, but logged in plain-text. So, your personal and private communications and information are not only being intercepted and recorded without your knowledge, but insofar as this log data is sent to your mobile phone provider in an unencrypted manner, your information, such as your login information to your bank, is being transmitted in an insecure manner, and clearly, subject to harvesting and misuse, whether during transit or after received.
As reported by PPCGeeks.com, Eckhart initially disclosed his findings in the XDA Developer Forums, and upon learning of his disclosure, Carrier IQ threatened legal action against Eckhart. Enter the EFF (Electronic Frontier Foundation), and Carrier IQ immediately backed down and issued an apologetic statement:
“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”
Just yesterday, class action law suits were filed against Carrier IQ, Samsung, and HTC for violating the Federal Wiretap Statute. Immediate statements from Sprint, AT&T, and T-Mobile assert their use of the software is strictly for network and device diagnostics; while Verizon, Vodafone, O2, Nokia, and RIM have issued denials that CIQ is installed on their devices at all. As I see it, Sprint, AT&T, T-Mobile, and Carrier IQ are in deep trouble, as the Wiretap Statute does not recognize a defense for innocent use, and these carriers are clearly not parties to your conversations (a defense under the Federal WireTap Statute and some State WireTap Statutes).
So what does this mean for us?
First off, if you’d like your privacy and your sensitive data protected from CIQ, check out this Free Android App: Bloat/CIQ ★ Freezer, which freezes the execution of CIQ. Another alternative is to avoid texting, emailing, and browsing via your smartphone altogether until this problem is resolved. >:-/
And some folks actually question why so many people replace the manufacturer developed ROMs on their smartphones with custom-developed ROMs? PPCGeeks and XDA-Developers are homes to many talented ROM Developers and enthusiasts.
As for the future, we will definitely be seeing a CIQ-specific Privacy Policy, whether independent of, or embedded within, a carrier-based Privacy Policy. Unquestionably, Carrier IQ (and associated carriers) must provide clarification on the collection and use of our private and sensitive information, even if for diagnostic purposes and/or if anonymous.
In the meantime, just be thankful for having an active international community of intellects that are the true supporting foundation of our technology and technology rights. I certainly am.