A piece of smartphone management software named CarrierIQ embedded in Google’s Android operating system has drawn criticism from security researchers and privacy advocates after it was found to be logging keystrokes and tracking device location and application usage.
CarrierIQ, which is designed to help mobile operators monitor their customers’ devices, is deeply embedded in Android, according to the security researcher who highlighted the issue, Trevor Echhart.
“The CIQ application is embedded so deeply in the device that it can’t be fully removed without rebuilding the phone from source code,” Eckhart wrote in a blog post. “This is only possible for a user with advanced skills and a fully unlocked device”
However, the UK’s two largest mobile carriers, O2 and Vodafone, say their handsets do not carry the software. “We do not collect any data via Carrier IQ,” an O2 spokesperson told Information Age, while a Vodafone spokesperson said: “We do not add Carrier IQ to the software on the handsets that we sell to our customers.”
Eckhart claims the software logs all inputs into a device’s web browser, including usernames and passwords, even for encrypted websites, but the company behind it insists that it iis only used to monitor device performance.
“While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools,” Carrier IQ wrote in a statement in mid November, seeking to clarify its operations.
Reports are emerging that the tracking software is also embedded in Apple’s iOS operating system, not just in Nokia, Blackberry and Android phones as Eckhart suspected. Apple’s press team had not responded to a request for comment as this story was published.
Update: A spokesperson said that Orange doesn’t validate Carrier IQ “or any similar service” on customers’ handsets.