by RSS Axelle Apvrille  |  Dec 20, 2011  |  Filed in: Security Research

A few days ago, CarrierIQ published a 19-page report detailing their software and business. I read the 19 pages, and in case you were wondering, the statements of my previous blog post still stand, even more, they are confirmed so I have updated the FAQ with extra data. Some my comments on the report below.

"The IQ Agent uploads diagnostic data once per day, at a time when the device is not being used" (page 4)

This is hardly a defense to me. People do not like that their phone is being used without their consent, even if it is for good reasons.
When I buy a car, I pay for it, and I don't expect anybody to drive it without asking my permission. This is still the case if that person is kind enough to use the car while I don't need it. It is even still the case if that person pays for the fuel.
It's my car, you ask if you want to borrow it. Right?
It's the same for my phone. I bought a phone, I paid for it, it's my phone. I don't expect anybody to use it (call, SMS, Internet whatever) without asking my permission. And this is still the case even if my phone is used when I don't need it. And even if I don't pay for the communication.

"Carrier IQ's software has access to no more data than any other application on a device" (page 5)

On Android devices, access to data is regulated by asking for specific permissions.
True, CarrierIQ has to request those permissions like any other application, but the difference is that CarrierIQ gets those permissions without asking for end-user's consent, whereas other applications do.
Indeed, CarrierIQ is already installed on the device when the end-user gets it. He/she is never prompted with any screen asking whether he/she agrees to such permissions. Probably even worse, the end-user is not even aware of the presence of CIQ.

"... [in bold] what is actually gathered by a Network Operator is based on their business requirements and the agreements they form with their consumers on data collection."** (page 7)**

Besides I wonder how operators react to this line of defense "it's not my fault, it's theirs", I believe end-users do not really care who is to blame - CarrierIQ, manufacturers and network operators - as long as the situation never happens again.
At a second thought, actually, Carrier IQ's sentence acknowledges someone should have asked for end-users agreement.

"The IQ Agent does not use the Android log files to acquire or output metrics" (page 8)

I don't think anybody ever suggested they were using log files to acquire data.
As to using them to output data, I disagree. CarrierIQ actually acknowledges on the next page using a "secure temporary location on the device" (page 9). It should be noted than on Android, which is a Unix-based system, everything is, by design, a file. So, this "secure temporary location" is a file (if ever this is important). And it contains metrics gathers by the IQ agent. This is logging. The fact the log is not directly human readable is irrelevant to the definition of logging.
Anyway, the debate is not over "using human-readable files or not" but over "is somebody reading and eventually storing data".
As I already said, CarrierIQ does not provide any detail on how this temporary location is secured. Let's hope it's good.

"The embedded version of IQ Agent metrics allows for the collection of URLs [..] the IQ Agent cannot read or copy the content of a website" (page 9)

Ok. How would you react to this claim: "I did not spy on your readings, I only got the titles and reference of the books
you read, not their content!"?
It's exactly the same here. CarrierIQ does not get the content of the pages I visited, but the URLs. The problem is that leaking a URL is already significant. It will say which pages we are visiting. In several cases, the URL also contains additional arguments which will for instance state our login name, session id etc.

-- the Crypto Girl

by RSS Axelle Apvrille  |  Dec 20, 2011  |  Filed in: Security Research