updated 06:25 pm EST, Tue November 29, 2011
Video shows CarrierIQ, Sprint lied about data
The latest update in the CarrierIQ data collection controversy and the related privacy issues has brought apparent video confirmation. shared by Geek and made by security researcher Trevor Eckhart, the video (below) shows a LogCat proving that the CarrierIQ name is not mentioned anywhere in the startup code. The handset used is a stock HTC Evo 3D, and there is no way to shut down the app as it's not visible.
The video shows that CarrierIQ software knows about a text message and its contents before the user is even notified. Earlier, both CarrierIQ and Sprint claimed the contents of an SMS were not saved. Geek's Russell Holly tried to contact CarrierIQ about this matter but they didn't comment directly, stating instead that it's looking forward to a meeting with the Electronic Frontier Foundation and will continue to keep users updated.
The video also shows that the software records keystrokes. It likewise records calls with network strength values, which primarily allows carriers to fix problems but could also be used to intercept data. CarrierIQ is also collecting keystrokes of incompleted calls and even random keystrokes, or more than it needs
When using Wi-Fi, CarrierIQ records website security information, including URL and even passwords sent over the ostensibly secure HTTPS. This doesn't involve Sprint, as it's on Wi-Fi, so it shouldn't be recorded, Holly concludes.
CarrierIQ hasn't responded to the video, but it's now under pressure to prove that it hasn't created problems for a significant portion of Android. HTC, other phone makers, and carriers are known to have loaded CarrierIQ, all of which are thought to have been well-meaning but which could have created an extra security risk by giving hackers a treasure trove of information either on the device or sent to outside servers.