InfoQ's Interview with Trevor Eckhart- “Discoverer” of Carrier IQ Root Kit
Systems Administrator Trevor Eckhart became a household name when his video demonstrating the mobile privacy incursions of software developer Carrier IQ and the questions that it engendered went viral. Culminating in the Department of Homeland Security’s recent recommendation to government employees to ensure that their mobile devices are Carrier IQ-free. InfoQ caught up with Mr. Eckhart for an update on this perceived threat to mobile privacy.
How much, if anything, has changed in the mobile device industry's use of Carrier IQ's technology since your breaking this news to the general public?
I have recently done another mass checkup on the Carrier IQ software to see where things stand. I will be publishing another document soon that is not 100% complete yet but from my findings so far TMobile appears to be the only ones still actively using Carrier IQ.
Since originally finding it implemented on my HTC Evo 3D I have not yet found a new case of the Embedded IQ Agent in effect. This was the biggest concern as the agent is embedded across many system apps making removal very difficult. If an improper removal was done on only part of the agent but left in other applications such as Phone.apk a malicious piece of software could sit in place of the old receivers and catch sensitive data.
For now it looks like TMobile has gone with the Preloaded IQ agent which is a standalone 3 apk system. They have also put in an opt-out switch which seems like it shuts the agent down if you opt out of analytics. Such a on/off switch was never available before and is a step in the right direction but still not the most ideal solution.
Can or should mobile software developers implement Carrier IQ in their apps?
I do not believe anyone outside of paying carriers can use Carrier IQ's APIs.
I see from a recent Carrier IQ white paper that you have shared your findings with Carrier IQ, Inc. Through a working session that helped them to identify some of the issues which your disclosures have highlighted.
Has working with the company changed your views on their technology and the applications of it?
A bit. After the initial Cease and Desist I received (among other happenings I will not talk about) we were able to have a few working sessions.All is not negative though, there has been some good improvements that have come from all of this.
I still do not agree with some of the metrics that Carrier IQ is able to collect such as applications installed/running on the device, HTTP/HTTPS/FTP data/addresses loaded, etc. There is an even bigger problem if these are collected Off Network such as while I am running on a personal WiFi Connection and the carrier would otherwise not control this data.
What is your current opinion of Carrier IQ, its applications and their uses?
I do like the change of actually having a on/off switch which was never available in the past. Even though opt-in only should be the only mentality for applications that collect data it is a step in the right direction giving users control.
I do like seeing more of the Preloaded agent rather than the embedded client. Users with root can remove it from their devices easier than the embedded which is close to impossible.
I think a better solution would be having said application totally separate from the original factory flashed image on the device. If a user chooses to give Statistics to the carrier (then) he/she would download an application from the market or carriers website directly. This way it would be removable at any time without root and give everyday users more control. Applications like open signal do similar type of radio stats tracking. Users actually participate in it without having software preloaded on their device because a clear and concise use is defined.
Lastly, I do not agree with the way Carrier IQ has profiles which are able to be changed on the fly without the user being informed. A user may opt-in to the program thinking X/Y/Z is collected about radio information but 6 months later a new profile is pushed and every application the user is running suddenly starts being collected. A greater transparency here is still needed.
Look for InfoQ to continue to explore the connection between mobile software developers, mobile network and MBaaS providers and the mobile app users who rely upon them to safeguard their privacy as they enjoy the benefits that their apps bring.
Exit question for mobile software developers (please reply in comments section below): What if anything, are you doing to help strengthen the security of your mobile app users’ private data?
Mike Amundsen May 29, 2015
Ben Linders May 28, 2015