Android handsets secretly logging keystrokes, SMS messages?
There seems to be a recent flurry of privacy issues being exposed. Have you heard about this one yet? This privacy concern was mentioned in a few news sources. This is from CNET News:
Your Android-based smartphone could be watching just about everything you do, Android security researcher Trevor Eckhart argues in a video posted earlier this week.
In the nearly 20-minute video clip, Eckhart shows how software developed by mobile-device tracker Carrier IQ logs each keystroke and then sends them off to locations unknown. In addition, when Eckhart tried placing a call, Carrier IQ’s software recorded each number before the call was even made.
Eckhart started making waves across the privacy community earlier this month after he dug into software developed by Carrier IQ that, he said, runs behind the scenes in Android-based devices to track what users are doing. Eckhart called the software a “rootkit,” due to its ability to access device data while concealing its presence.
As one might expect, Carrier IQ took offense to Eckhart’s claim, saying that its software is a “diagnostic tool” for companies to “improve the quality of the network, understand device issues, and ultimately improve the user experience.” The company also sent Eckhart a cease-and-desist letter and demanded he issue an apology for calling its software a rootkit.
Some of the details can get technical, like this:
In one part of the clip, he shows how an entire SMS message–“hello world”–was recorded by Carrier IQ’s software. In another example, he demonstrates how a Google search, his location, and other key information is recorded by Carrier IQ’s application, even though he was on Wi-Fi and a page secured by HTTPS.
“The Carrier IQ application is receiving not only HTTP strings directly from browser, but also HTTPs strings,” Eckhart wrote in a blog post. “HTTPs data is the only thing protecting much of the ‘secure’ Internet. Queries of what you search, HTTPs plain text login strings (yuck, but yes), even exact details of objects on page are shown in the JS/CSS/GIF files above–and can be seen going into the Carrier IQ application.”
It means that nothing is private, even when you think you’re shopping on your favorite web site, logging into your favorite online shopping web site where you already have your credit card information stored and ready to use with various 1-click express checkout options. Don’t forget that Android is owned by Google, so whatever information your Android phone has, Google also has (or has access to).
You’re not necessarily safe if you’re not using the Google Android operating system on your phone, either:
Perhaps most troublesome is that users don’t know where their information is going or how it’s being used. Earlier this month, Sprint told CNET that it’s a Carrier IQ customer, but rejected any notion that it’s peering into users’ personal data.
…Although Eckhart’s data comes from Android devices, it’s worth noting that Carrier IQ’s software is running on over 130 million mobile devices worldwide, including those made by Nokia and Research In Motion.
It’s astounding that there’s not more of a public outcry.
- Police Tracking Your Every Move With License Plate Readers
- Malls Planning to Track Smartphones During Black Friday?