What's Lurking on Mobile Devices?

Independent security researcher Trevor Eckhart kicked a hornet's nest last week when he posted a YouTube video demonstrating the monitoring activity of a controversial program from a company called Carrier IQ on his EVO Android phone.  

Eckhart's clip illustrated how the company's "experience insight" program, shipped on Android and Apple iOS devices sold by several carriers, can surreptitiously track all mobile user activity - even keystrokes - without user knowledge or permission.

CIQ denies Eckhart's claims, and the full extent of its program's operation and use continues to unfold.  But this incident should be a wake-up call to every mobile user and employer:  does any of us really know or control what's running on our smartphones and tablets?

Every Breath You Take...

Spy vs. SpyIt's no secret that carriers track mobile location and voice, text and data use; that's how they deliver network services and bill subscribers.  What Eckhart questioned is whether carriers are also tracking tapped keys, text and email messages and other information that most subscribers probably consider none of the carrier's business.  He found CIQ software receiving events that carry such detail, even on a stock (un-rooted, unmodified) phone in airplane mode, with no 3G connectivity or service synchronization.  Furthermore, CIQ does not appear as an installed application, provide a privacy policy or ask permission to report "experience insight."  In fact, users who object may have little recourse.  CIQ is not easily uninstalled; on some phones, it cannot be disabled.

Every Move You Make...

When Eckhart first published his report CIQ filed a cease-and-desist order, which it retracted under pressure from the Electronic Frontier Foundation (EFF).  The company disputes Eckhart's characterization of CIQ as a rootkit and claims not to record keystrokes or content.  According to the firm's statement, CIQ "makes your phone work better by identifying dropped calls and poor service, identifies problems that impede a phone's battery life, makes customer service quicker, more accurate, and more efficient, and helps [to] quickly identify trending problems."

I'll Be Watching You?

Eckhart's video clearly shows numbers entered on the dial keypad, SMS content, location, and search strings conveyed to CIQ.  But the video can't show us what CIQ does with that information.  Since we can't see metric profiles sent to the mobile network operators, we can't know which data are ignored, recorded or relayed.

This brings us to the heart of the issue:  lack of transparency and control, for both end users and their employers.  Fuss over Eckhart's report sent handset manufacturers and wireless carriers scrambling, anxious to offer reassurances and clarify their use of "experience insight" data.  As of this writing, AT&T, Sprint, T-Mobile, HTC, and Samsung reportedly have issued statements describing their use of CIQ.  Verizon Wireless, RIM, and Nokia have reportedly denied using CIQ.  Another researcher reported finding CIQ installed on iOS3, iOS4 and iOS5 devices.  

Instructions are circulating for disabling CIQ. However, caution should always be exercised when installing apps or changes from unverified sources, especially if rooting/jail-breaking is involved.

The good news is that we know more today than we did two weeks ago about what our smartphones and tablets can monitor and what our carriers claim to be tracking.  The bad news is that we still have little insight into what software arrives on mobile devices at the time of purchase or via updates.

Oh, Can't You See You Belong to Me?

Carriers might argue that end users don't have the expertise to understand what's running on their handsets.  And manufacturers may maintain that they only provide tools for data collection; it's up to the carrier to decide whether and how to use them.

But these arguments don't absolve manufacturers and carriers of their obligation to disclose how they collect and use personal information and potentially sensitive interactions.  If the CIQ incident shines a bright light on industry practices, prompting more prominent disclosure and effective "opt out" mechanisms, all the better.

However, there's a broader lesson here for employers wrestling with smartphone and tablet support and security.  While mobile device and application management systems can help IT regain visibility over software and processes running on these devices, subscribers are still beholden to manufacturers and carriers for creating and pushing firmware and OS updates.

The mobile world needs the transparency and control already present in the server and laptop world.  There should be an easy way for employers to determine whether software like CIQ is present in carrier-supplied builds.  Where tracking occurs, IT should be able to verify exactly what is collected and transmitted, to whom, when and how.  Accomplishing this disclosure shouldn't take running a debugger or triggering a legal firestorm.

(Ed. Note - By now you surely have that song by Sting and The Police in your head. Here's a link.)


Email and Social Media Links: Share securely via email |  |


Update: As I noted above "But the video can't show us what CIQ does with that information. Since we can't see metric profiles sent to the mobile network operators, we can't know which data are ignored, recorded or relayed."

Researcher Dan Rosenberg tested this by analyzing the actual metrics supported by the version of CIQ running on his Samsung Epic 4G Touch (carrier not stated, I'm guessing Sprint). His findings are posted here:


Rosenberg found that at least this instance of CIQ couldn't be passing message content or keystrokes (beyond dialer keystrokes) because no metrics with that information can be queried by the carrier. Rosenberg noted that CIQ is used differently on various devices, by various carriers, but said CIQ would have to be modified to relay all the data shown in Ekhart's video to a carrier.

Rosenberg did find CIQ relaying dialer keystrokes, GPS locations, and URLs (including HTTPS URLs). But no SMS text bodies, web page contents, or email content - at least on his phone. This detailed threat analysis is critical to consider when assessing business risk; kudos to Rosenberg for publishing his findings.

But the broader lessons that CIQ teaches us still loom large. As Rosenberg concluded, "Consumers need to be able to opt out of any sort of data collection" and "There needs to be more transparency on the part of carriers in terms of what data is being collected from users." Rosenberg also argued for third-party oversight on what data is collected -- I whole-heartedly agree.

Malware writers never miss a headline opportunity...

Reports have now surfaced about Android.Qicsomos, a repackaged version of an open source Android app originally created to detect Carrier IQ. This Android tollfraud uses a look-alike logo to masquerade as a carrier-supplied utility, but if the user presses the in-app button marked "Desinstaller," the trojan sends SMS messages to a premium-rate number. See:


Join the Webtorials Community
Subscription Maintenance

Featured Sponsors

Recent Comments

Webtorials TechNotes

Featured Analysts

Gary Audin, Delphi, Inc.

Michael Finneran, dBrn Associates

William A. Flanagan, Flanagan Consulting

Douglas Jarrett, Keller and Heckman LLP

Jim Metzler, Ashton, Metzler & Associates

Lisa Phifer, Core Competence

Dave Powell, Independent Technical Writer

David Rohde, TechCaliber Consulting LLC

Steven Taylor, Distributed Networking Associates, Inc.

Joanie Wexler, Technology Analyst/Editor


Steven Taylor

TechNotes is a special program of Webtorials and Distributed Networking Associates, Inc.


Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2013, Distributed Networking Associates, Inc.