If you thought that the whole Security Saga was over and done with the triumph of the EFF and a very angry internet mob over CarrierIQ, you were sadly mistaken. You see? The fun part about doing research is that from time to time, you will run into bumps or things that will try to throw you off. I have personally done research for a few years and you will likely try to seek advise from the experts in the field of whatever you are trying to find. Our “experts” in this case are the good people over at CIQ, who so graciously decided to try and put a stop to the research last week. Well, as you are all aware by now, and as I stated a few moments ago, there was a formal apology letter posted by CarrierIQ on their website, which you can all read from the link that I just posted. However, there are a few items in here that we are not entirely happy with
- Does not record your keystrokes.
- Does not provide tracking tools.
- Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
- Does not provide real-tie data reporting to any customer.
- Finally, we do not sell CarrierIQ data to third parties.
If you recall, most of the points stated here represent a large chunk of the research that XDA Recognized Developer TrevE had been doing for the last couple of months. Going back to my example of the researcher, since they are the leading authority of this kind of matters on the field, one should likely take what they said over here and call it quits. I mean, lets face it, this is like the president telling you that we are not at war. However, when you see 25,000 troops being deployed overseas, you cannot help but to wonder if this authority is either not sure of what he/she is talking about or is flat out lying out of their nostrils. To save you from further examples, the answer seems to be the latter. TrevE shared with us a video and a full blown out follow up to his original blog regarding CIQ and what it does. TrevE mentioned that due to large misinformation in the general public, he needed to set a few facts straight regarding his research, and most importantly his findings as some people are leaning more towards what the “experts” have to say.
So, having said all that, let us dissect what has been said by CIQ and compare it to what TrevE stated in this great follow up. First and foremost, they are still claiming that this is not a rootkit. We still beg to differ and fall back to the various definitions that are available online for what a rootkit truly is. This is essentially any application that can run hidden from sight with the ability to enable continued privileged access to a system and also to subvert standard operating system functionality. Basically, CIQ will allow Portal Administrators to have unrestricted continued access to your device for as long as the app runs. As far as the bit about subvert standard OS functionality, think about it this way. Your OS normally reports any application or process that is running with a name, maybe an icon, and some sort of description as to what it does or is doing. You also get the capability (hopefully) to interact with said application, whether it is by being able to execute it or reach it somehow. According to TrevE, what he found in the HTC devices he has is that there are two applications for CIQ, one of which is reported as HTC IQAgent and a second one called IQRD, which seemingly is not running, but is. On top of that, IQRD can only be found under Settings-> Manage Applications -> All, but offers no information whatsoever as to what it is, what it does, or anything. It even uses a stock icon, so one cannot really tell what you are looking at if you stumbled upon it. Worst of all is that there is no way to manually stop or uninstall this. You only seem to get an option to FC the app, but this does absolutely nothing. Another interesting point regarding this process is the fact that it has permissions to do virtually anything in your device, even record audio if it wanted to!
Call me crazy, but an app that can be remotely controlled which can handle virtually every task and have access to anything seems a tad dangerous, particularly considering that we have zero control over it. All in all, the following statement by CarrierIQ “When Carrier IQ’s products are deployed, data gathering is done in a way where the end user is informed or involved”, is entirely, positively, and absolutely false in this case…. moving on.
Removal of these apps you ask? We briefly covered this last time and we will not go much into detail. But long story short, CIQ seems to be cooked into virtually everything that is Android (applications, OS, and kernel), so basically this is a multi-headed monster app that can communicate with all areas of your device regardless of what it is (browser, contacts, calendar, notes, market… you name it). AOSP seems to be the only and safest way to get rid of this entirely, which of course will require you to root your device and flash a custom rom, kissing your warranty goodbye in the process (and Sense if you are a Sense fan like many HTC owners out there).
We now get to another interesting part of TrevE’s work. Basically, lets say that you purchased your handset on eBay, Craiglist, or any source other than the carrier. You are unbound and free to go to any cell provider you like. CIQ states that “IQ Insight Experience Manager uses data directly from the mobile device to give a precise view of how the services and the applications are being used, even if the phone is not communicating with the network.” And moreover, they claim that their service stops when devices change SIM cards or are swapped to a different carrier. So, ok… swapping to a different network has a few tricks and implications, particularly for CDMA device owners, where the only way to switch your device to a different network is basically by cloning your device as most carriers will not allow you to bring devices from other competitors (aka you cannot activate a Sprint phone on Verizon). However, even if you have your device on a completely different network, you can see that this thing runs perfectly well, collecting data (even if only locally). So, if you have a device that is not on a specific network (and likely never will be) why does the app keep running, trying to phone “home” to deliver your stuff? Better yet, this is no longer under the “we need it to improve network performance” umbrella. Why does it still run? If you do not have active service with a company, why does it keep on doing its thing?
Next on the list is the kind of stuff that CIQ can be seen doing. I will not go into detail here either as TrevE has put most things up in his site. However, if you refer back to the list that I posted from the apology letter, you will see that all of those points become invalid automatically thanks to this work. For instance,
“Does not record your keystrokes.”
Really? So, I guess this snapshot from the video means that your app is recording something else at the same time as a key gets pressed. Interesting…
Also, for those of you interested, yes, this thing can indeed read the body of your text messages.
If you look through TrevE’s post, you will see the section where he talks about all the other things that the app can collect.
If your hair was not up until now, it will be right after you read the last part of this article. HTTPs… Many of you are probably thinking… “ahh… security goodness come to papa”. Well, if you are accessing an HTTPs page from anywhere, i would agree, but a device with CIQ…. not so much. As you may be aware, anything sent over a HTTPs connection cannot be sniffed outside of the browser as the stuff being sent is securely encrypted. However, it seems that CIQ is capable, even in HTTPs sites of collecting the data that you believe is (or should be) secure before it actually leaves the browser. Worst of all, it does it in plain text! All in all, TrevE did a few examples with the last one being his Paypal account. You will not see too many details regarding that one in his post but basically all his logging information was contained in the log. So, if you are a mobile banking addict, you may want to rethink about your options to pay your cards or do your shopping. TrevE did make another not-so-invasive example, for which he has more tangible proof that this app can record things that it really shouldn’t. If you wanted more proof of this CIQ app being spread all over your Android like cream cheese on a bagel, the fact that CIQ is invoking com.android.browser points directly at the fact that this thing is baked into Android’s browser as well.
Now that TrevE has successfully scared you straight out of your socks with all this, some of you likely cannot help but to wonder why is this relevant? We had already uncovered this app in past articles and this just seems more of the same, although a tad scarier. Well, there are 3 real reasons why this article is here today. The first one is that CarrierIQ tried to deny repeatedly the allegations that TrevE made regarding this software. Time and time again, the software maker has assured and re-assured that their application cannot do any of the things that are being described in here, including key logging. So, one of the objectives is to prove with tangible evidence that they are indeed lying, at the very least, to HTC customers. Let’s recap for a second:
- Does not record your keystrokes. – Yes, it does
- Does not provide tracking tools. – Being able to pin point you by signal and geographical coordinates every time your device polls for location…. Yes, it does
- Does not inspect or report on the content of your communications, such as the content of emails and SMSs. – Yes, it does that and more…
- Does not provide real-time data reporting to any customer. – Yes, it does (so as long as the device has signal)
- Finally, we do not sell CarrierIQ data to third parties. – Prove it
The second point of this article was to try and figure out why in the world would anyone need an app to record that much stuff. We can all agree that feedback from customers is indeed the best way to better your products, and in the case of carriers and manufacturers, this just makes sense. However, the amounts and kinds of data that are being recorded are borderline ridiculous. Whether the recipient of this data uses it or not is irrelevant, there is no permissible purpose to justify this kind of data collection short of you being a law enforcement entity.
And last, but not least is the fact that the app is nearly as hard to remove as a deeply rooted trojan in your computer, which ironically is not far from being the case. Moreover, the so-called CIQ portal, which is basically the receiving end of all the data that gets recorded from our devices is controlled by someone. That someone, according to CIQ only sees anonymous data. Well, if the data comes tagged with a device ID, MEID/IMEI, phone number, location coordinates, etc… I am sorry, but the person looking at this data will know exactly who the originator is. Particularly, if the administrator can freely look at all the data that this app can record. This is insanity at best to have that much control over someone’s personal data, and the worst part is that this is a prime target for hackers. One thing that we have all learned from the Sony vs Anonymous incident is that security can be breached and data can be stolen. Just think about the possibilities of what could happen if someone finds a hole or exploit in the code. And the worst part? Since this thing is virtually uninstallable, the exploit will rip the benefits of invulnerability until you throw your phone in the toilet, kill it with fire, or install an AOSP rom.
Dear CIQ, Manufacturers, and most of all… carriers. We want answers as to who has access to this data, why in the ever living heaven do you collect it. But most importantly, we want it out. I believe I speak for everyone with a mobile device when I say
WE WANT TO HAVE THIS REMOVED, NOW!
The ball is in your court…
You can find more information in the original blog.
Want something published in the Portal? Contact any News Writer.
Thanks TrevE for all your help on this!_________
Join us for xda:devcon 2014. For a limited time, XDA Portal readers get 20% off registration!