Carrier-IQ SmartPhone Monitoring Analysis

I am sure that everyone who reads this has already heard that there is a big gaffuffle raging over the potential monitoring and eavesdropping of smartphone based phone calls, text messages and even keystroke logging claims.

.

.

.

.

According to Dan Rosenberg’s blog, he has done some detailed analysis on the software, and has found the following to be true on his Samsung handset:

  • CarrierIQ (on his particular phone) can record which dialer buttons are pressed, in order to determine the destination of a phone call.
  • CarrierIQ cannot record any other keystrokes besides those that occur using the dialer.
  • CarrierIQ cannot record SMS text bodies, the contents of web pages, or email contents, even if carriers and handset manufacturers wished to.  There is simply no “metric” designed to carry this information.
  • CarrierIQ (on this particular phone) can report GPS location data in some situations.
  • CarrierIQ can record the URLs that are being visited (including for HTTPS resources), but not the contents of those pages or other HTTP data.

I find key among his recommendations:

  • The verbose debugging logs demonstrated in Trevor Eckhart’s video are a risk to privacy, and should be corrected by HTC by disabling these debugging messages.
  • The legality of gathering full URLs with query parameters and other data of this nature should be examined.

Take off that tinfoil hat now, and come back in off the ledge.  Probe away and find conclusive evidence that the phone or the service provider is up to no good, and come on back out onto the ledge when you have it.  Some information is going to be gathered by your electronic devices, just to keep tabs on its health, usage / service patterns, capabilities, and shortcomings.

Advertisements