Lookout Releases Free Carrier IQ Detection App
Sniffs out controversial software on Android smartphones, but doesn't delete it
By Gregg Keizer
December 05, 2011 — Computerworld — A mobile security software company last Friday released a tool that detects Carrier IQ, the software embedded in numerous smartphones that has raised questions from users, privacy advocates and even Congress.
Lookout, best known for the Android security software by the same name, launched the free Carrier IQ Detector last week. It can be downloaded from the Android Market .
The tool only detects the presence of Carrier IQ on Android handsets: It does not scrub the software from the smartphone .
Lookout said that Carrier IQ was "deeply integrated with handset firmware [and] users would be required to attain special device privileges in order to remove it," then warned that doing so incorrectly could "put users at further risk of malware infection" and possibly make them unable to receive future phone updates.
The release of Carrier IQ Detector followed comments from Lookout last week that it would not classify the software as malware, and questioned the label "rootkit" for the tracking and network diagnostic program.
Tim Wyatt, a principal engineer with Lookout, refused to call Carrier IQ "malware," arguing that it just didn't fit the definition.
"Absolutely not," said Wyatt when asked if Carrier IQ was malware. "This is something that was pre-loaded by carriers, not downloaded by users," Wyatt in an interview last week, arguing that because users hadn't been duped into launching a Trojan horse, Carrier IQ wasn't technically malware.
"It wasn't malware hidden inside an app, so it doesn't fit the Trojan pattern," Wyatt said. "All indications are that it is intended to improve user experience. What's at question is what data is sent to the carrier."
He acknowledged that Lookout and its users were worried about the privacy implications.
"We do have concerns about the data, and under what circumstances it's going out," Wyatt said, noting that his opinion was a reflection of the feedback his company had received from users. "We definitely think that users should be told, and have a choice of opting out in circumstances like this telemetry."
Other security researchers have said much the same.
In a blog post Monday, Dan Rosenberg, a consultant at Virtual Security Research, said that his analysis of Carrier IQ had not found any malicious intent.
"I have repeatedly stated that based on my knowledge of the software, claims that keystrokes, SMS bodies, email bodies, and other data of this nature are being collected are erroneous," said Rosenberg, who like Lookout, called for more transparency from Carrier IQ, handset makers and mobile service providers.
Is privacy an ally of security, next of kin, or something else? These articles dig into the hows and whys of data privacy and data protection, and its relationship to enterprise security efforts.
6 ways we gave up our privacy
The effect of social networks, web 2.0 technologies, and other privacy-shaking developments
7 Firefox plugins for data privacy
Plug data-leaking holes in your web browsing
4 signs of an easy victim on social networks
Scammers and hackers of all kinds scour social sites for personal data
Potential privacy 'gotchas' in cloud computing
How to respond to a data breach notification
5 things to know about the Chief Privacy Officer
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- The CISO's Survival Guide to Securing Data
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- New PCI Tokenization Guidelines with QSA Expert
- #FFSec: Security pros to follow on Twitter, May 25
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - Step right up and listen to the security barker
- Is the title 'security evangelist' really that bad?
More Salted Hash with Bill Brenner
