Carrier IQ: What We Know So Far

Smartphone monitor company details in a report every data point that it can collect, and says it shared no data with law enforcement agencies.
10 Worst Android Apps
10 Worst Android Apps
(click image for larger view and for slideshow)
The report notably begins by thanking "Trevor Eckhart for sharing his findings with us through a working session that helped us to identify some of the issues highlighted in this report." Likewise, it thanked carriers for detailing their deployments of Carrier IQ's software on their handsets, as well as security researcher Dan Rosenberg, whose own, independent analysis of Carrier IQ's software found that it wasn't doing anything nefarious, although he did fault the company for not being more upfront about what its software was doing.

According to Carrier IQ's report, its software is designed to answer this question for carriers: "What is the network service quality consumers experience when they use a mobile phone on our network and how do we make it better? Put another way, what actually causes dropped calls, reception issues, and the like?" Accordingly, the company has built handset-based software that collects the data required to answer those questions, and routes the data to carriers. "This has been our mission since the formation of the company," said the report.

Furthermore, it said, with its software being deployed on millions of handsets, it's designed it to collect the minimum amount of information possible, not least because Carrier IQ then has to transmit and store it, which the company emphasized that it does using a "secure encrypted channel."

Carrier IQ also clarified that smartphone owners don't pay for the data transmitted by its handset software--IQ Agent--provided that the phone is operating on a network owned by a carrier that is a Carrier IQ customer. "In typical deployments, the IQ Agent uploads diagnostic data once per day, at a time when the device is not being used. This upload, which averages about 200 kilobytes, contains a summary of network and device performance since the last upload, typically 24 hours," said the report.

Carrier IQ responded to Eckhart's research, which found that the Carrier IQ software appeared to be storing sensitive data to a clear-text Android log file on his HTC handset, by saying that was due to an HTC-introduced bug. "We cannot comment on all handset manufacturer implementations of Android," according to the report. "Our investigation of Trevor Eckhart's video indicates that location, key presses, SMS, and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software's debug capabilities remained 'switched on' in devices sold to consumers."

Carrier IQ said that its software only uses its built-in API to collect data, rather than Android log files. Furthermore, it said it's working with its customers to help prevent these types of bugs from recurring. "Various parties in the industry, including security consultants such as Dan Rosenberg, have recommended that handset manufacturers switch off debug messages containing personal information to prevent them being written into log files. In addition, Carrier IQ is working with handset manufacturers and network operators to suggest changes to the certification process for new devices to prevent similar problems from occurring again," said the report.

Finally, during its investigation into how its software gets deployed by carriers, Carrier IQ said that it had discovered another bug, which could at times cause SMS messages to be embedded in the diagnostic information captured by its software and transferred to Carrier IQ. But it said such messages were not in human-readable form, and that after working with carriers, it had quickly eliminated the bug.

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

Editor's Choice
Carrie Pallardy, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
James M. Connolly, Contributing Editor and Writer
Mary E. Shacklett, President of Transworld Data