Android hacker and professional security consultant Dan Rosenberg (you may know him as djrbliss from the Internets) has completed his own study on Carrier IQ, and found some interesting results. All those reports about logging keystrokes and spying on SMS messages look to have been blamed on the wrong party, as his research shows that Carrier IQ as written can only capture the data that the carrier sends to it (known as metrics), and even then still has to consult a profile (think of it as a settings page for any app) that a carrier has had CIQ write specifically for their installation. In his own words:
CarrierIQ does a lot of bad things. It's a potential risk to user privacy, and users should be given the ability to opt out of it.
But people need to recognize that there's a big difference between recording events like keystrokes and HTTPS URLs to a debugging buffer (which is pretty bad by itself), and actually collecting, storing, and transmitting this data to carriers (which doesn't happen). After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data. There's a big difference between "look, it does something when I press a key" and "it's sending all my keystrokes to the carrier!". Based on what I've seen, there is no code in CarrierIQ that actually records keystrokes for data collection purposes. Of course, the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur. But all the recent noise on this is mostly unfounded.
There are plenty of reasons to be upset about CIQ, but please don't jump to conclusions based on incomplete evidence.
So what about all the stuff we see on Trevor Eckhart's video of the EVO in action? It's obviously there, so what's up with all that? We're not security researchers, professional or otherwise, but we are nerds who read about exploits and security every day. The best we can figure is that HTC has exposed those events to the log while sending it as anonymous metric data to the Carrier IQ app. There's still no evidence, and never was, that any of that data is sent anywhere.
The biggest thing to take away from this news is that while Carrier IQ is scary, and many of us consider them evil, they only provide a service to collect data that carriers and OEM's make available. This needs to be made more transparent, because it's never going to go away -- if you don't like it don't use our network, nobody is holding a gun to your head is likely the carriers stance on the subject, and in a way they are right. Our choice in the matter is to not spend our money with them, and heaven knows I understand how unpopular that idea is firsthand. But things are looking more and more like the carriers and manufacturers need to share a good bit of the blame here, and this whole mess is over an easy way to collect data they already have been collecting.
When we get finished here, we can start looking at how the companies who rushed forward shouting "We don't use Carrier IQ on our phones" are collecting the same data with something other than Carrier IQ, so we can be sure that changes are made across the board versus crucifying a small company in Silicon Valley.
Verizon this morning in a press release talked up the first anniversary of the launch of its LTE network, pimping that 190 markets and 200 million people will be covered by Dec. 15 (that's covered, and not necessarily subscribed). Pretty impressive when you think about it, especially when you compare it to the other established 4G network. (Cough. Wimax.)
Oh, and expect a couple of Motorola Xyboard tablets this month, Verizon says. That's Verizon's version of the Xoom 2 and Xoom 2 Media Edition, and we'll likely see LTE on board, of course.
And in case you're wondering, Verizon says the Galaxy Nexus is still coming soon. Of course it is.
Just as someone predicted, the Samsung Galaxy Nexus has begun arriving in Verizon stores, which means we're starting to see pictures of it in Verizon stores. And that's cool and all. But unless it comes along with a press release from Verizon telling us exactly when it's going on sale, it's just another tease.
Those of us in the states will have a hard time reproducing this, of course, since we're not exactly crawling in 900MHz EDGE. (Or in the Galaxy Nexus, for that matter.) And while it's an interesting-looking bug, we're not sure how overly concerned we are about this lingering issue. Maybe it'll be fixed with uploaded bootloader code. But if not, maybe just keep your 900MHz phones a inch away from your Galaxy Nexus.
Jephanie, a smart member here at AC bought a couple Galaxy Nexus accessories from his Verizon store, and was kind enough to share the pictures and pricing with us all. The "Power and protection package" consists of a black case and holster, a universal car charger with USB slot, and three screen protectors for $49.97. The "Spare battery charging kit" (and this one looks to be a real winner) has a spare 1850mAh battery, a stand-alone battery charger, and a micro-USB Y-cable so you can charge both the spare battery and your Galaxy Nexus at the same time in the same place. List price on the spare battery kit is $39.99. Both of these look like very nice accessories for the LTE Galaxy Nexus, and jephanie is ready to roll as soon as Verizon turns this one loose. Hit the break for another picture of each, and visit the link below for close-ups and discussion. Be sure to give jephanie a big thanks for sharing with us all!
One new smartphone and another revamped are now available from AT&T. First up is the LG Nitro HD, the carrier's version of the LG Optimus HD. It sports a 720p display and has AT&T's new LTE high-speed data. The Samsung Galaxy S II Skyrocket -- AT&T's LTE version of the Galaxy S II (and scaled up to 4.5 inches) -- also is now available in white.
The Nitro HD is going for $249.99 on contract, as is the Skyrocket.
U.S. District Judge Lucy Koh has denied Apple's request for a preliminary injunction against Samsung late Friday afternoon, one that would have halted sales of three Galaxy phones and the Galaxy Tab 10.1. Judge Koh found that any action halting the sales of these devices in the United States would not be necessary to keep Apple from being irreparably harmed, and denied the sales ban. This doesn't mean things are over between Samsung and Apple, who currently are involved in more than 20 legal battles in 10 different countries, as the case is still to be heard. This ruling was concerning the halting of sales only.
Of course both sides involved had little of value to say -- this is a legal drama and tight lips are a wise choice. Apple spokeswoman Kristin Huguet referred to previous statements about the case, saying that Samsung's "blatant copying is wrong" and Samsung spokesman Jason Kim said "This ruling confirms our long-held view that Apple's arguments lack merit". Whether the arguments truly lack merit is something the courts will have to decide later, but for now the products in question will remain on the shelves for the Holiday buying season.
Update: Reuters has updated their original story with more information from judge Koh's ruling, stating that "Apple has established a likelihood of success on the merits at trial" regarding some of the smartphone patents, and that "Apple would likely prove Samsung infringed one of its tablet patents. However, Apple had not shown that it was likely to overcome Samsung's challenges to the patent's validity." General consensus is that the suit will end with monetary damages more likely than any injunction. Whatever the outcome, it would be nice to see all these legal issues slow down at least a little.
Source: Reuters. Thanks everyone who sent this in, and thanks Droid800 for the update!
Fear not Motorola Droid Bionic owners, you are no longer left behind and can join the cool kid party with a taste of some Ice Cream Sandwich. Developer dhacker29 of the TH3ORY ROM team has released a mostly functional ICS build for Bionic users to play around with, and while not everything is working reports are pretty positive so far. While still working on getting data & wifi working along with getting the SD card to mount the developer feels they are getting closer to getting this functional. Looking for something new to play around with this weekend on your Bionic? Be sure to hit the source for full details.
Researchers at N.C. State University have performed a study of eight Android phones (HTC's Legend, EVO 4G, and Wildfire S; Motorola's Droid and Droid X; Samsung's Epic 4G; and the Nexus One and Nexus S from Google) and found more potentially disturbing information. While the Nexus phones and OG Droid (phones that run stock Android) had one minor security issue, namely a code bug in the pico app that would allow another app to delete the pico installer app, the rest of the bunch didn't fare so well. All the phones with customized versions of Android had serious security issues
In particular, by exploiting these leaked capabilities, an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations – all without asking for any permission.
Apparently because the system applications built by vendors such as HTC, Moto, and Samsung are all signed with the same digital signing key, they are able to inter-communicate and access each other's data. While this is a serious security flaw, it's also possible that it was done by design so that applications like Friendstream or Social Hub can easily parse social networking app data and aggregate it, and these researchers just found a new method to exploit that system.
While the implications for Android are new, the idea of exploit attacks on popular computing platforms is not. As Android grows in popularity, more people will be focused on finding (and reporting) exploits against the OS. Researchers have dutifully reported the issue to Google and all the OEM's, although they express difficulty dealing with HTC and Samsung who (as of this writing) the researchers say have been "very slow in responding, if not ignoring our reports/inquires".
Should you be worried? Not any more than you were yesterday. Malware exists because a whole hell of a lot of people use Android, and users are not restricted to installing only approved applications. If these types of reports bother you -- and that's a pretty valid response -- you still have the option of installing only trusted applications by well-known developers, or other options to not run the affected firmware on your phone. And while nobody wants to hear me say it again (but I'm about to anyway), Nexus devices running Android as it was written are once again immune from these serious issues, so are always the better choice if you value your security.
It looks like the LG Nitro HD wasn't the only thing to hit New York City last night: the shiny new flagship is currently surfing on AT&T's 4G LTE network, which hasn't been "officially" switched on yet here in the Big Apple. We'll go ahead and assume that AT&T is still in the testing phases here in the five boroughs, with an official statement on its way. Whether it's here to stay or just a dry run, one thing is clear: AT&T is pulling some major speeds. Last night saw Ookla's Speedtest clocking in at 56.59 Mbps down and 12.81 Mbps up, which is almost too good to be true. Sure enough, this afternoon has already "slowed down" to 13.48 Mbps down and 1.14 Mbps up. Either way, New Yorkers looking to snag the Nitro HD on Sunday will surely be impressed by their data speeds.
Portions of this page are modifications based on work created and shared by the Android Open Source Project
and used according to terms described in the Creative Commons 2.5 Attribution License. AndroidCentral is an independent site
that is not affiliated with or endorsed by Google.