At 08:51 AM 12/5/2011 +0000, Alan Bourke wrote: > > It's basically a rootkit on Andriod and iPhones. > > > This announcement came out on Dec 1 (Thurs). Note my use of term rootkit: > > > software that hides its presence and allows privileged access to system > > > data/function. > >No it isn't a rootkit - it's not very well hidden apart from anything >else, is it.
Well, it certainly is not listed as an App. I'm not sure if the researcher had to invoke the phone debug mode to see it or not. When I looked at my phone services I couldn't find a service that was named ??IQ?? or described as "metric" collection. But I'm pretty sure it's there somewhere. Also the service itself cannot be halted by a user (at least on some of the models). Compare that to "proper" services like my weather app - it's clearly shown with the title of the app - the same title that I can find when I'm looking at all apps installed on my phone. I know that there are core Android services that don't show up in my installed apps list either - but those are OS-required services for phone operation. This is an "add-on" app, installed/bundled by carriers. So, to review: it's software that is not necessary for phone operation, sitting in a privileged execution space, keylogging user input. Maybe it's not hidden as well as typical rootkit software usually is (maybe Android and iPhone OSs make that too difficult). But it's doing the things typical malware rootkit software does. >"After reverse engineering CarrierIQ myself, I have seen no evidence >that they are collecting anything more than what they've publicly >claimed: anonymized metrics data. There's a big difference between >"look, it does something when I press a key" and "it's sending all my >keystrokes to the carrier!"." Since this is in quotes I presume this is a statement you've pulled off the web, so you may not know the answers to these questions. Reverse engineering is not the same as looking at the source code. Watching phone debug steps may not yield all operations the software is taking. So, is this confidence coming from looking at source code or a quick look at operation? Will the app automatically update (since it's sitting in the privileged security space, it does not have to obey any user setting)? And don't forget the other things that were just as worrisome: seeing supposedly encrypted URL strings in plain text, seeing all text messages (incoming as well as outgoing), etc. Are you saying those aren't reasons for concern? It was definitely shown that the app is operating in a privileged access area to be able to see all the stuff it was seeing. So without looking at the source code, there is no way to tell what it really does. The app itself could simply detect when the phone is in debug mode and limit it's function - just require other special key combos to unlock it's complete debug mode for it's own developers. I believe Sony's rootkit they put on Windows PCs didn't send all keystrokes back home either. The point was that it could. And the point was users were unaware that it was running. And last but not least, there was concern of the software being 'hijacked' at some point by a virus. Sounds pretty similar to what we've got here. >There's definitely a case for making non-technical (i.e. most) phone >users aware of its presence and letting them opt out, but that doesn't >make it a rootkit. Why are you limiting this statement to non-technical users? Do you think technical users were already aware of it? Do you think technical users all root their phones by default and kill off things they don't like? I doubt that most Android/iPhone app developers knew about this either. (now there's a cool idea, capture info on apps under development by all developers and sell the info to the big boys). And if your sole reason for ruling this out as a rootkit is because it's not completely hidden from the user, well, I don't know if that's a good justification. Again, I didn't clearly see it in my list of running services (and definitely nothing in my applications list). And I don't see anything that talks about metrics in that list. When I have time maybe I'll try to root my phone and go look for it that way. But since smartphones are relatively new on the scene, and since the term rootkit was originally defined for computers, I believe the term rootkit is appropo at this time. Maybe a new term will be invented, but from what I see this fits the bill well enough as a rootkit. If you'd feel more comfortable calling it a key logger or general malware, or spyware, OK <shrug>. And if you don't call it a rootkit, are you satisfied the carrier has made you aware of its existence and function by telling you they may occasionally capture anonymous metric data as part of your contract? Are you completely satisfied this software is only capturing and sending anonymous information? I'm not. But maybe I'm just too untrusting. After all, no company has obtained personal data without clearly getting consent in the past. Have they? -Charlie >-- > Alan Bourke > alanpbourke (at) fastmail (dot) fm > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
