- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - A controversy over smartphone privacy has reignited following a coder's recent post detailing how a hidden software application on Android-based HTC phones can collect a range of information about the user's activities.
The client program is from a venture-funded company called Carrier IQ out of Mountain View, Calif. It created software, dubbed by one security researcher as a classic rootkit, to collect a variety of "operational" data about the phone's usage, ostensibly to let carriers identify radio, performance and usage problems and correct them.
DIRTY DOZEN: Security vulnerable smartphones IDed
But a number of programmers have been trying to delve into the details of how Carrier IQ actually works, and what information it accesses. The most detailed account was posted earlier this month by Trevor Eckhart, who lists his job as IT director and is part of the XDA-developers.com Website of Android and Windows Phone users and programmers. He blogged about what he discovered, surmised, and questioned in a two-part post, starting here, at his own Website, AndroidSecurityTest.com.
Last March, another XDA member, called k0nane, apparently was the first to actually take note of the Carrier IQ application on Sprint-based Samsung phones.
Complementing Eckhart's post, was one by Geek.com's Russell Holly, who elaborated on some parts of Eckhart's post, adding some context about CarrierIQ the company, and detailed the responses, or the lack thereof, by the software vendor, HTC (Eckhart used his own HTC Evo for this demo), and Sprint. Most of the comments were unsupported, general assurances that these companies could not analyze, or were not analyzing, detailed user information and activities.
Eckhart quotes from Carrier IQ's own materials, including the patent application, to define the intended scope of the software application. From the patent filing: "Carrier IQ is able to query any metric from a device. A metric can be a dropped call because of lack of service. The scope of the word metric is very broad though, including device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user's pressing of keys on the device, usage history of the device, including those that characterize a user's interaction with a device."
To do this, Carrier IQ provides an embedded client on the mobile device and server-based analytics applications. According to the vendor's documentation, these analytics give administrators details about performance and usage characteristics.
The program, says Eckhart, is a "rootkit" or software that gives a user privileged access to a computer's functions. "Carrier IQ...listens on the phones for commands contained in "tasking profiles" sent a number of ways and returns whatever "metric" was asked for," he writes.
At the same time, at least on the HTC phone Eckhart used, the presence of Carrier IQ is hidden, or at least buried, from the surface of the user interface. One issue that pundits and privacy advocates have focused on is that most handset makers and carriers don't inform users that this information is being collected, or, if they do, give them the ability to block the collection.