November 30, 2011

Malware? Who Needs Malware? - Updated at bottom of post and another Update too.

Many people are tweeting the story in The Register today.  The app in question is on many Android devices including HTC units, also Blackberry and Nokia phones.

BUSTED! Secret app on millions of phones logs key taps

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.

I went and found the youtube vid for those who are geekily inclined.

Many people will see this and say it's overly paranoid.  But the app is recording everything. Stop and think about that for just one minute. Ponder exactly what that means. Every keystroke, all your locations, everything all in one tidy log package. How convenient. 

Go now and read the whole thing, it's one page, I'll wait til you get back.

Carrier IQ is making the point that the data is being used for diagnostics.  Since phones crash using any of the included software as well as during calls, it would make sense to have a log of information including what happened prior to any type of crash be it browser based, messaging based, phone based, or app based.

BUT once information gathering starts, bad things can and do happen.

Let me repeat, in case I wasn't clear enough earlier... the problem is, they are recording everything, all keystrokes...  private data like usernames and passwords, banking information if you bank via your phone, emails you type out and send, sms messages you send, wifi information including SSIDs of other wifi's nearby, your location at any given time, etc, etc, etc.

This is wrong on so many levels it's enough to leave one gasping at the extent of the over reach in data gathering.

And then your private data can be included in the snippets sent back without your knowledge when carriers are trying to find a problem. That's a best case scenario.

If that's not enough to worry about how about these major items of concern:

1. This information is being stored in a log file that is not encrypted.  This log file can be accessed, copied, and transmitted by other malicious apps.

2. It's not clear to me if you do a copy/paste from a password safe (such as Last Pass) whether the usernames/passwords would be recorded since they would not be actual keystrokes. Then again how many people actually use a password safe type of app?  Not many, sadly.

3. This certainly violates many laws such as HIPAA among others which means companies that fall under these regulations have to figure out fast how to deal with this.

So far we don't know that any data has been compromised because of this, but now that the information has been released, you know there will be many a data thief looking for ways to exploit this huge security flaw.

Why oh why is it so hard for people to get it through their thick skulls that collecting private data is NOT a good thing without careful thought as to how it's done and how it's protected.  How many times does this have to happen? 

Carrier IQ and any companies using this service, stop looking so dumbfounded. It's sheer idiocy to be using this type of logging and you should already know that.

Ah the joys of being connected in an internet world.

PS - it wasn't too long ago there was an utter meltdown in the world because Apple was collecting location data (only location data) on the phone itself.  If the response to this app is at all in proportion it should cause the world to stop revolving and then explode.

UPDATE: Sheri posted a link to a Naked Security Blog post about this issue in her comment.  I thought it should be added to the end of the main post.  Also, in that blog post they reference another post about Carrier IQ traces in Apple's iOS devices but it appears to be a true diagnostic feature in Apple

However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else.

UPDATE 2: Dan Rosenberg, a security researcher who specializes on Android type devices, has written his own post to dispute some of the claims made by the original story. 

It appears to be HTC who is the culprit behind the major overkill of information being gathered in the video, not CarrierIQ.  I was never all that disturbed by the general information being gathered such as phone numbers dialed, location, that kind of thing.  First because the carrier already has access to that info and second, you can't debug a problem without information. 

The part I find disturbing is the very verbose collection of keystroke data that is kept in a log on the device.  If the device is lost or stolen, that log would be available to whoever ends up with the device in hand.  Or a malicious app could grab the log file and send it to a remote server over the airwaves without the user even know it.  So until HTC changes the type of data it is collecting in the background - I can't say they can be trusted to provide any devices I would want to use as my own phone.

Posted by: Teresa in WebTech at 02:44 PM | Comments (8) | Add Comment
Post contains 950 words, total size 7 kb.

November 09, 2011

Got An Android Based Phone?

Here's a chart showing a number of models and how out of date the software versions are on them. There doesn't seem to be much that can be done about the update problem since it's per vendor, but you may want to be very careful about what you do on your phone if you are using an out of date OS.

Like Windows of old, out of date OS installs are open to security problems. In other words you may want to rethink doing your banking on them among other things. heh.

the understatement: Android Orphans: Visualizing a Sad History of Support

If you want to hear the author of the post talk about how he developed the chart, he was interviewed by Patrick Gray of Risky Business and you can listen to the podcast here.

Posted by: Teresa in WebTech at 10:44 PM | Comments (7) | Add Comment
Post contains 141 words, total size 1 kb.

<< Page 1 of 1 >>
36kb generated in CPU 0.02, elapsed 0.0312 seconds.
68 queries taking 0.0132 seconds, 233 records returned.
Powered by Minx 1.1.6c-pink.