A piece of software that sits on a wide variety of Android phones is drawing increased scrutiny after a security researcher concluded that the software is sending detailed information on how the phone is used–including individual keystrokes–to wireless carriers. The company behind the software maintains that it’s doing this for your benefit, but how much information do they really need?
Carrier IQ first entered the mobile consciousness a few weeks ago, when Trevor Eckhart set off a bit of a furor in the mobile security community by describing the Carrier IQ software as a “rootkit,” or a piece of software installed on a computer without the user’s permission that records and transmits information about the use of that computer to another party. The company bristled at that characterization, claiming that it is only gathering information that can help carriers diagnose common problems liked dropped calls, but later apologized for sending Eckhart a cease-and-desist letter.
“While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools,” Carrier IQ said in a statement (PDF) last week, adding that it doesn’t sell the information to third parties and it is held closely by its main customers, wireless carriers.
But further research by Eckhart (published by Wired Monday) shows that the software–used on Android, BlackBerry, and Nokia (NYSE: NOK) phones–is indeed recording individual keystrokes on the phone, such as the dialing of a phone number and even a search query conducted over a secure connection. Why does the software need access to encrypted search terms without requiring explicit consent from the phone’s user?
Carrier IQ did not immediately respond to a request for further clarification.
Search terms and phone numbers aside, there are several benign reasons to record basic handset activity: such information really does help phone designers and network technicians gather data as to pinpoint the source of a problem. We also don’t know if carriers are storing and analyzing extremely personal data such as search terms even if the Carrier IQ software provides them that level of detail.
But software like Carrier IQ gives the wireless industry a treasure trove of data on how phones are being used across their networks, which can be extremely valuable to operating system creators, app developers, and advertisers. And it does so without informing the user as to the true extent of its snooping.
A video posted by Wired and available on YouTube (NSDQ: GOOG) of Eckhart’s research follows below. The keystroke logging part kicks in at around 8:40.