CarrierIQ: Don't root, don't remove, don't worry

By on
CarrierIQ: Don't root, don't remove, don't worry

But vendors warned to disclose tracker apps.

Users should ignore the brouhaha triggered by the discovery of smartphone application CarrierIQ, according to security researchers.

Further analysis revealed the software found last month to be tracking user activity in a laundry list of smart phones was harmless.

And although the research by Trevor Eckhart was valid, in truth the application was benign.

The software reporting tool was designed like countless other web services as a feedback mechanism to improve the design of smart phones.

Metric data including GPS location, URLs visited and phone numbers dialed was collected and sent to phone carriers but it did not identify users or record keystrokes.

Further, initial checks suggested the application was not in use by Australian carriers.

Independent security researcher Dan Rosenberg was the first to squash reports the tool had surreptitiously siphoned user data.

"After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymised metrics data," Rosenberg said.

"Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes."

He said CarrierIQ was "a potentially valuable service designed to help improve user experience on cellular networks" but said the existence of the software should have been disclosed.

Kaspersky researcher Tim Armstrong said any attempt to root and jailbreak devices to remove CarrierIQ would break stock security controls and place users at risk.

"We do not recommend rooting your device or installing custom ROMs for most users. This entirely defeats the security model of your device," Armstrong said.

"Furthermore, custom ROMs can be so complex, and often do not undergo the scrutiny of the security community."

However privacy pundits may still be concerned about the capacity for function creep - that manufacturers could use the tool for nefarious tracking purposes at a later time.

"CarrierIQ does a lot of bad things. It's a potential risk to user privacy, and users should be given the ability to opt out of it," Rosenberg said.

Angry US users have commenced a class action law suit against CarrierIQ accusing it of breaching US wiretap laws.

And as Armstrong pointed out, the data collection capability of CarrierIQ could be misused if the application was exploited.

"I’ve never seen an application that didn’t have a flaw. Isn’t it possible that this software can be compromised, and the data to which it has access could be exfiltrated?"

Copyright © SC Magazine, Australia

Tags:
In Partnership With

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?