Mobile
Commentary
12/1/2011
09:45 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Carrier IQ: Mobile App Crap Must Stop

The Carrier IQ situation is an insane breach of trust for enterprises. And unless phone makers copy the Apple model, where carriers can't pre-install app crap, it will happen again.

You just can't make this stuff up. If I had told you six months ago to be very careful about entrusting corporate data to mobile carriers who pre-install app crap, because they would build spyware into phones, collect secure Web browsing information, and embed this software so deeply that you have to change the ROM to get rid of it, you would have written me off as a paranoid. Yet, that appears to be the situation with CarrierIQ, a carrier utility gone wild.

Like the Master Control Program in the '80s science fiction classic, "Tron," CarrierIQ collects data for an ostensibly harmless purpose: to help carriers improve the quality of their network and improve the user experience. Then, it goes crazy and tries to kill everyone. It may not be as bad in this case, but the trouble is, though Carrier IQ claims, "we are counting and summarizing performance, not recording keystrokes or providing tracking tools," third party analysis of Carrier IQ begs to differ.

Specifically, researcher Trevor Eckhart writes on his blog that the Carrier IQ application "is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the 'secure' Internet." Carrier IQ, realizing how damaging this revelation was, tried to squelch Eckhart through a cease-and-desist letter (giving him two whole days to respond, and threatening damages starting at $180K), but the Electronic Frontier Foundation came to the rescue. Carrier IQ relented after the assault from the EFF, and is now "deeply sorry for any concern or trouble" that the letter may have caused Eckhart.

From an enterprise perspective, this is massive. It's the Jerry Sandusky of mobility. It is an insane breach of trust.

[ Not up to date on Carrier IQ? See Carrier IQ Withdraws Legal Threat Against Security Researcher. ]

Enterprises have long put up with "app crap" on Windows platforms, and, then, on mobile platforms. On the Windows platforms, enterprises would shrug, wipe the machines, re-image them, and move on with work as usual. On mobile, enterprises believed that the app crap was benign enough. Wrong.

We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide.

All of a sudden, Steve Jobs' perspective about who should control mobile device firmware doesn't seem to be such a bad idea.

Carrier IQ has no relationship, at all, with the enterprise. They've said that "we do not sell Carrier IQ data to third parties" or "provide real-time data reporting to any customer." But once you generate the data, it's there for the taking.

This year's Data Breach Investigations Report, co-sponsored by the U.S. Secret Service, and, ironically, a mobile provider, emphatically states that organizations need to eliminate unnecessary data collection (since it can and will be stolen.) As enterprise trusted partners, it's time for carriers to eliminate the middleman. Carrier IQ had no incentive at all to limit the type of data that it collects.

Because Carrier IQ is so carrier focused, it may have even come as something of a surprise to the Carrier IQ folks that they may have violated wiretap laws.

The whole model needs to change, or this incident will be repeated. Carriers currently control the phone, and work with third parties to build management software that they need. The third parties have no skin in the game in terms of the trust relationship with the enterprise. Frankly, in this case, if Carrier IQ's reputation becomes so tarnished that they can no longer sustain a viable business, they can pull up their tent stakes, change their name, and resume operations.

Well, good for them, but BAD for the enterprise, because the enterprise now needs to start investing the type of time that used to be reserved for Windows PCs, in order to re-image spyware-vulnerable smartphones. It's not a matter of just removing the software. InformationWeek contributor Mathew Schwartz told me Wednesday morning that "some deployments of Carrier IQ by the carriers have an 'off switch' that smartphone owners can trigger," but that he's also seen reports that it simply doesn't work.

Now contrast that to the simpler Apple model, where Apple delivers a phone with fundamental firmware, absent the app crap. Both Apple and the carriers have major skin in the game to preserve the trust of the enterprise. If carriers want to have management capabilities on the iPhone, they'll have to EXPLICITLY have permission from the enterprise.

This type of permission is generally granted by enterprises to service providers, but it's under contract, with explicit rules of engagement, and with incentives. ("We'll give you xyz points off of your bill if you use this"; or "wow, look at this management software that you can use, it's really useful, we only ask that you allow us to have this explicit dataset.")

One case in point is Spiceworks a free network management service that spells out how it will use your information. This type of win-win arrangement is already present in the mobility world: Verizon has successfully rolled out its "My Business" service to enterprise customers, in a scenario where Verizon gets to avoid the expense of mailing bills, and enterprise account managers get an easy-to-use interface.

The point is, though, that it's pretty obvious that the current "provider gets to thoroughly load the phone with untrusted app crap" model isn't going to fly anymore. There must be a check and balance. And I think that Apple's model of shipping a phone without carrier meddling is a good start. Let carriers woo the enterprise to get permission to install management software. But with mobile phones being an integral and essential part of enterprise infrastructure, software-without-permission must stop.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Bob O
50%
50%
Bob O,
User Rank: Apprentice
12/1/2011 | 4:02:32 PM
re: Carrier IQ: Mobile App Crap Must Stop
It is being reported by The Verge that well known hacker Chpwn tweeted today that versions at least as recent as iPhone OS 3.1.3 contained references to Carrier IQ and later confirmed it's in all versions of iOS, including iOS 5.
Counsel-or
50%
50%
Counsel-or,
User Rank: Apprentice
12/1/2011 | 4:07:09 PM
re: Carrier IQ: Mobile App Crap Must Stop
Except, it had been found in iOS devices... it isn't on all Android or other devices... Did you read the whole blog post?
DavidMichael
50%
50%
DavidMichael,
User Rank: Apprentice
12/1/2011 | 4:15:22 PM
re: Carrier IQ: Mobile App Crap Must Stop
So the app is getting all the keystrokes - what is it doing with this data, that's the question.
SIR000
50%
50%
SIR000,
User Rank: Apprentice
12/1/2011 | 4:43:40 PM
re: Carrier IQ: Mobile App Crap Must Stop
From the Verge updated: Apple has added some form of Carrier IQ software to all versions of iOS, including iOS 5. However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else. We'll let you know when more details arise.
AmberB
50%
50%
AmberB,
User Rank: Apprentice
12/1/2011 | 5:03:42 PM
re: Carrier IQ: Mobile App Crap Must Stop
That is only the first question. The next question is Who will they be sharing it with, and Will the originator of the data even be notified? We all know that law enforcement can, without a warrant and without any notification to the target, obtain all your email contacts and who you've been sending and receiving emails to along with all of your internet searches from Google, who btw is more than willing to provide the information when requested.

What their original intentions are in collecting this data, unless they are outright selling it, are almost a secondary matter.

The police have the capability to use mobile cell phone towers to identify all cell phones within range, and to spoof the real towers to intercept all messages from all phones in range. They are currently testing this out in Britain. The argument I hear is "if you're not doing anything wrong, you have nothing to worry about", but this is so short-sighted. How about the UC Davis protesters? How secure do the people standing around with their cell phones feel if the police can capture the identity of every cell phone in range and match it up with the IQCarrier data? What if a couple of those police are upset at some of those students because they feel they were made into a fool? Police corruption is not just something in movies.

I am so pleased that the EFF got involved in this. All of us as citizens need to be aware of privacy issues. The reason we have our constitutional rights is so people can have a fighting chance to expose and protect ourselves against corruption in our police departments and government. We need to stop just this kind of incursion, even if their reason for collecting the data is supposed to help us.
brenna1
50%
50%
brenna1,
User Rank: Apprentice
12/1/2011 | 5:24:36 PM
re: Carrier IQ: Mobile App Crap Must Stop
Well all that fear mongering and gloating over the "perfect and not being spyed upon" iphone is out the window, eh? This article reads like an ad for the iphone and makes one wonder what the motivation might be to write something of this nature?
david_400
50%
50%
david_400,
User Rank: Apprentice
12/1/2011 | 5:58:57 PM
re: Carrier IQ: Mobile App Crap Must Stop
Mr. Feldman,, please do some research and find out if Eckhart's allegation is true before you add to all the hype. His video looks like Logcat in Eclipse when USB debugging is enabled on the phone. The data goes over the usb cable to your computer only, where you can view it for debugging purposes. I just did it myself and saw sms messages, keystrokes, etc. This is normal. I'd like to see proof that the data is actually getting logged by CarrierIQ on the phone. -David, developer.
NotTellinYou
50%
50%
NotTellinYou,
User Rank: Apprentice
12/2/2011 | 12:58:49 AM
re: Carrier IQ: Mobile App Crap Must Stop
This is not a correct representation:

http://arstechnica.com/tech-po...
NotTellinYou
50%
50%
NotTellinYou,
User Rank: Apprentice
12/2/2011 | 12:59:14 AM
re: Carrier IQ: Mobile App Crap Must Stop
NotTellinYou
50%
50%
NotTellinYou,
User Rank: Apprentice
12/2/2011 | 1:00:22 AM
re: Carrier IQ: Mobile App Crap Must Stop
This is not correct. The only iOS 5 device that still includes this software is the iPhone 4 and will be removed in an update. In any case the software only sends the data if the user opts in.
Page 1 / 2   >   >>
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.