Thursday, December 1, 2011

Don't Panic! - What Android Users Need To Know About CarrierIQ

12/08 UPDATE: More on this story here...

CarrierIQ, a hidden root app that secretly logs user activity on 150 million mobile devices, is a serious privacy and security threat. But it's a threat Android users can easily eliminate. The short version is CIQ tracks pretty much all user activity - location, searches, even individual kestrokes - then secretly sends the data bact to CarrierIQ servers. Very creepy. But don't panic.

Apple fanatics have reacted with smug glee to the news of a serious privacy issue that doesn't affect iPhone users, saying CIQ is a much more serious security issue than the iPhone's hidden logging and tracking app, exposed earlier this year. Maybe so, but not so fast, Mac fans. While you can only ask Apple to correct security threats, bugs and other issues, then wait, hope they do and hope they get it right sooner or later, Android users have total control of their own devices and can easily eliminate security threats like CIQ on their own. So there.

The first thing to know is CIQ is not on all Android devices, as breathless tech media panic articles have claimed, nor is it on all AT&T devices. For example, it's not on my Nexus S running Google Android 2.3 (Gingerbread) on the AT&T network. Before you wrap your head in tin foil and hide under your desk, check to see if CIQ is actually installed on your Android device.

While CIQ won't show up under running applications, most root level system processes don't, if it is installed on your device it will show up in the list of all applications as "IQRD". If you don't see it, it's not there. For those who want to be extra sure, use a 2nd party management app, Norton Mobile Utilities, for example, where you can see every process, including system processes, running on your phone. If there's no "IQRD" running, there's nothing to worry about. CarrierIQ is not installed on your Android device.

If you do find "IQRD," there's still no reason to panic. You can fix this all on your own. One of the most brilliant features of Android devices is because the Android OS is based on open source technology, unlike the entirely closed, proprietary iPhone OS, for example, users have a great deal of control over how their device works, even to the point of being able to load custom Android operating systems.

There are currently 2 ways to remove CIQ from Android devices. Neither is 1 step simple, but both are well within reach for most users. The details may vary slightly from device to device, but the basics are the same for all Android devices.

First, you'll need to "root" your phone, which basically gives you the equivalent of "administrator" permissions on your Android device. This will allow you to access and control all of the processes on your device, including system and root level processes. You can find instructions for rooting your phone here...

After you've rooted your phone, method 1 for removing CarrierIQ is to download and install "Logging Test App v7" from Android developer Trevor Eckhart, the guy who first discovered CarrierIQ. You'll also need "Logging TestApp Pro" - 99 cents at the Android store - which will automatically install the drivers required to unlock the advanced debugging, cleanup and removal features for the Android OS.

Now, open Logging Test App v7. Hit the "menu" button. Select "CIQ" and hit "Remove CIQ".

That's it. Problem solved. You're good to go. No more CarrierIQ. Now, wasn't that easy?

The second method is recommended for advanced users only, as it is much more complicated and involves replacing your entire Android operating system.

Not only can Android users control pretty much everything in the Google Android OS, unlike iPhone users, because Android is based on open source software, you can actually replace the entire operating system with one of the many customized operating systems available for Android, all of them free. These modifications, or mods, are known are called ROM's.

I've played around with a few ROM mods for Android. The one I like best is Cyanogen(mod). Not only does it completely eliminate all hidden root apps, including CIQ, it gives the users some very groovy functions not found in the Google Android OS. For example, you get a very good DSP graphic equalizer for music playback, secure "Incognito Mode" Web browsing, true "Touch to Focus" for your camera and all sorts of options for skins and themes to customize the look and feel up your Android device.

A few caveats. Because Cyanogen(mod), like most other OS ROM's, is highly customized and optimized, it could possibly push your device harder than the original Google OS. This may slow down low powered devices and may decrease battery life. To avoid these issues, make sure you check the list of supported devices for the ROM you choose before installation. Another thing to keep in mind is installing a custom ROM is very likely to void your warranty, though most warranties are only 90 days, anyway.

Before you take the plunge and replace your OS, I suggest you thoroughly read through the instructions. You're changing firmware. Take it step by step and make sure you backup everything before you even think about altering your OS. Cyanogen(mod) maintains a very helpful Wiki with detailed backup and installation instructions and answers to any questions you may have. Other ROM providers provide similar information.

The bottom line is, as usual, the best way to deal with new, super evil technology threats is, in the immortal words of  Douglas Adams, don't panic.

No comments:

Post a Comment

Comment Policy: Anyone can comment. Registration is not required. There is no moderation. We do not censor or remove comments. Your comment should show up immediately.

The only exception is we will remove any comment that identifies, targets, threatens or in any way harasses any private individual.

Comments that include excessive vulgarity, racial slurs, death wishes and WILD ALL CAPS RANTS may be featured.

In recognition of the fact that this is very probably an entirely unworkable policy so vague as to be completely meaningless and therefore ultimately unenforceable, we reserve the right to do whatever the bleep we might bleepity-bleep well feel like doing at any bleeping given time. Please adjust your clocks accordingly.

BTW, "we" is me. If you don't like it, feel free to complain. Make sure you include excessive vulgarity, racial slurs, death wishes and WILD ALL CAPS RANTS.