Over the past few weeks, there’s been something of a brouhaha brewing over the discovery of a diagnostic app embedded in almost all modern smartphones used by carriers to determine what’s gone wrong with a phone. The app is called Carrier IQ and when it first came to light, its obfuscated nature and inability in some cases to control its activity.
In late November, security researcher Trevor Eckhart caught Carrier IQ on his Android HTC phone doing what he believed meant it was up to no good. After being rebuffed by the company, he posted a video of the activity of the app. Revealing how the software hides from the user, bypasses the OS in some cases, and even makes it difficult to control or even deactivate the application.
Since then, Carrier IQ has come under harsh scrutiny and has been scrambling to piece together its fractured reputation.
Customers have begun to gather with industry watchdog groups to forge lawsuits against the company. As well as probes from governments into the product and what Carrier IQ does in the EU. After what happened to Apple and Google over undisclosed location-tracking, you’d think that programs that surreptitiously watch information on the phone would make certain that they allowed the user to opt-out of their activity.
Much of What Carrier IQ Does is Necessary for the Diagnostics to Function
According to spokesmen from Carrier IQ, what Trevor Eckhart saw was the result of running in a highly verbose diagnostic mode. A great deal of the information that the app could see was not stored or even processed by the underlying application. They have been quick to point out that while Carrier IQ has access to low level functions such as keypresses and incoming and outgoing data, it doesn’t record most of that, and even less of it is sent back to the carrier.
However, without access to these low-level functions in the OS the diagnostics that Carrier IQ is designed to do wouldn’t be very functional for the carrier. For example, much of what was seen would only be active during an interactive troubleshooting session taking place with the carrier (at the consent of the user.)
The fears over what Carrier IQ is processing arise mostly from people not understanding its function.
However, in spite of what spokesmen have said in defense of Carrier IQ, they’re not looking good in the smartphone market when leaders in that market are distancing themselves from the company.
“[I]t actually does keep your keystrokes,” Google CEO Eric Schmidt recently said of the diagnostic app, “and we certainly don’t work with them and don’t support it… Android is an open platform, so it’s possible for people to build software that’s actually not very good for you, and this appears to be one.”
Even Apple has released a statement that they have stopped support for Carrier IQ with iOS 5.
It’s All About Customer Consent, Control, Information, and Education
While Carrier IQ is not exactly as benign as the developer or carriers argue, it’s also not quite as sinister as first thought. Many of the problems that Carrier IQ is currently facing over the activity of its application stem from its furtive behavior and the inability for the customer to know it’s on their phone and control its activity.
Both of these issues make Carrier IQ the privacy and security problem that is today. Any application running on a mobile device or smartphone that’s not directly accessible by the customer, that hides its presence, and cannot be terminated by the customer makes the phone less trustworthy.
If carriers want to have Carrier IQ installed on their handsets in order to aid with customer service, they are going to have to require Carrier IQ to be opt-in.
Having this diagnostic program running on mobile handsets that have no known problems, doing so furtively and without customer consent will leave nothing but a bad aftertaste for consumers. The specter of a breach of privacy is a very emotional problem for consumers and they’d like to know that their carriers are looking out for them not spying on them.
What About Security Risks?
If you’d like to know if Carrier IQ is running on your phone there’s an app for that, Lookout Labs has released a free scanner for Android. From there you can make an educated decision on what you’ll do about it or how to deal with it.
As a program appearing on a great deal of smartphones and that it bypasses a great deal of security functions already in order to be a low-level diagnostic program, Carrier IQ presents a strong case for exploitability. Since information is being captured by Carrier IQ, bypassing the OS, it could be easily used by malware that could actually log or analyze activity and thus becomes an actual problem of personal privacy and security.
Couple it’s apparent ubiquity across both Android and iPhones and thus a strong presence in the market makes it an excellent target for this sort of malware. Add that it launches without consent, does so furtively, and most users don’t know that they have it on their phone means that any malware taking advantage of it can do so without ever coming out of the shadows.