This link aggregates all of techcrunchs coverage with decent linking to outside sites about this too.
Category: Smartphone
Crapware on a pc or mac is easy to combat….format the machine and use your own, known good image. Phones however are a new frontier of badness for the enterprise and anyone with need for data security. Folks wonder why I’ve advocated locking smartphones out of sensitive networks…this is why. I’ve figured this for a while…now it’s been proven. There are quite a few links in this story..please read them. The video that’s blown the lid off this is right here.
You just can’t make this stuff up. If I had told you six months ago to be very careful about entrusting corporate data to mobile carriers who pre-install app crap, because they would build spyware into phones, collect secure web browsing information, and embed this software so deeply that you have to change the ROM to get rid of it, you would have written me off as a paranoid. Yet, that appears to be the situation with CarrierIQ, a carrier utility gone wild.
Like the Master Control Program in the 80s science fiction classic, “Tron,” CarrierIQ collects data for an ostensibly harmless purpose: to help carriers improve the quality of their network and improve the user experience. Then, it goes crazy and tries to kill everyone. It may not be as bad in this case, but the trouble is, though Carrier IQ claims, “we are counting and summarizing performance, not recording keystrokes or providing tracking tools,” third party analysis of Carrier IQ begs to differ.
Specifically, researcher Trevor Eckhart writes on his blog that the Carrier IQ application “is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the ‘secure’ Internet.” Carrier IQ, realizing how damaging this revelation was, tried to squelch Eckhart through a cease-and-desist letter (giving him two whole days to respond, and threatening damages starting at$180K), but the Electronic Frontier Foundation came to the rescue. Carrier IQ relented after the assault from the EFF, and is now “deeply sorry for any concern or trouble” that the letter may have caused Eckhart.
From an enterprise perspective, this is massive. It’s the Jerry Sandusky of mobility. It is an insane breach of trust.
[ Not up to date on Carrier IQ? See Carrier IQ Withdraws Legal Threat Against Security Researcher. ]
Enterprises have long put up with “app crap” on Windows platforms, and, then, on mobile platforms. On the Windows platforms, enterprises would shrug, wipe the machines, re-image them, and move on with work as usual. On mobile, enterprises believed that the app crap was benign enough. Wrong.
We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide.
All of a sudden, Steve Jobs’ perspective about who should control mobile device firmware doesn’t seem to be such a bad idea.
Carrier IQ has no relationship, at all, with the enterprise. They’ve said that “we do not sell Carrier IQ data to third parties” or “provide real-time data reporting to any customer.” But once you generate the data, it’s there for the taking.
This year’s Data Breach Investigations Report, co-sponsored by the US Secret Service, and, ironically, a mobile provider, emphatically states that organizations need to eliminate unnecessary data collection (since it can and will be stolen.) As enterprise trusted partners, it’s time for carriers to eliminate the middleman. Carrier IQ had no incentive at all to limit the type of data that it collects.
Because Carrier IQ is so carrier focused, it may have even come as something of a surprise to the Carrier IQ folks that they may have violated wiretap laws.
The whole model needs to change, or this incident will be repeated. Carriers currently control the phone, and work with third parties to build management software that they need. The third parties have no skin in the game in terms of the trust relationship with the enterprise. Frankly, in this case, if Carrier IQ’s reputation becomes so tarnished that they can no longer sustain a viable business, they can pull up their tent stakes, change their name, and resume operations.
Well, good for them, but BAD for the enterprise, because the enterprise now needs to start investing the type of time that used to be reserved for Windows PCs, in order to re-image spyware-vulnerable smartphones. It’s not a matter of just removing the software. InformationWeek contributor Mathew Schwartz told me this morning that “some deployments of Carrier IQ by the carriers have an ‘off switch’ that smartphone owners can trigger,” but that he’s also seen reports that it simply doesn’t work.
Carrier IQ: Mobile App Crap Must Stop – Security – Mobile Security – Informationweek.
The design geniuses at Apple, who are yet to come up with an iPhone 4 which did not have some serious design flaws, are scratching their heads about the latest problem which has hit the cargo cults latest toy.Apple recently released the iPhone 4S which was an iPhone 4 with some software that only Americans could use and the stupid antenna design abandoned. While it was a clever idea to make users pay for something that many manufacturers would be morally bound to recall, it turns out that the iPhone 4S has a design problem all of its own.For some reason the iPhone 4S loses battery faster than its users can charge it. Normally this is not a problem. The iPhone only has to be charged long enough for its users to attempt to convert other people to the Apple cult. It is not as if they use it to call their friends. But it seems that the iPhone 4S cant even manage this task.With normal use, it dropped 19 percent in 50 minutes and sometimes the battery dropped away at an even faster rate than that. Battery life has been dropping ten per cent an hour even when the optional location settings have been switched off.Since the only thing different about the iPhone 4S and the iPhone 4 is the chip, the fault has been narrowed down to the operating system that was also installed on the phone. It turns out that the iOS 5 cant really handle the new hardware.After shedloads of complaints on Apple bulletin boards and lots of suggested fixes an Apple store staff member was able finally to fix the problem.He claimed it was because the OSs location services was constantly checking location especially for the Time Zone.He was able to solve the problem by switching everything off in the Location Services > System Services menu except for Cell Network Search. His phone now lasts “pretty much the whole day”.While the fault has been causing frustration for users, Apple has done its usual “refusing to comment” thing. To admit there is a fault, means that the iPhone 4S is not as perfect as Apple says it is, and that would create a religious paradox.However, behind the scenes, the outfits engineers have been contacting some iPhone 4S owners who have complained of battery life issues individually and asked them to install a monitoring program on their phones to try to diagnose the problem.But the Sydney Morning Herald has found another serious software fault affecting battery life on the iPhone 4SMathew Peterson, who runs the Australian app development company TheLittleAppFactory, said he found that another problem affecting the iPhone 4S battery life was the iCloud contacts syncing code, which crashes repeatedly when it hit corrupt contacts in a loop.This harms those who have upgraded from previous iPhone models and causes the phones processor to work extra hard. The result is that the phone runs “noticeably warm” and it causes “the battery to drop 20-30 percent in 10-15 minutes”.It can be fixed by disabling contacts in iCloud or restarting the device. Peterson said that you really have to install the entire OS and then copy the contacts back on.
via Iphone 4S drains battery like a vampire – Turns users into Zombies | TechEye.
There’s one thing he is leaving out. Andriod is not a closed, one vendor only operating system. IOS is apple and pp-le only.
I’d like to start by stating I am not a rabid Android “fanboy.” In fact, I heavily considered the iPhone 3GS back in the day (er, last year), before deciding to pick up my Nexus One instead. Admittedly, I was a bit bedazzled by the concept of a “Google phone” and, as a confessed mega-geek, I found the bleeding-edge experience Android offered to be more exciting for some reason.
So I chose an Android device. When the iPhone 4 was released, I’ll be the first to admit that I was jealous. Like it or not, Apple’s Retina display and buttery-smooth iOS UI remain rivaled only by Samsung’s Galaxy S II, and I still staunchly believe Apple builds superior products to anyone in the smartphone industry in terms of build quality and hardware design. iOS 4 still lagged behind Android in several key respects, but to say the iPhone 4 wasn’t a juggernaut in the marketplace (antenna-gate aside) would be willful ignorance.
When it started becoming consensus that Apple would be jumping straight to the iPhone 5, my imagination ran wild with the possible changes the company could be making to the iconic device. So, when the rumors then began piling up that Apple would not be releasing an iPhone 5 today, but an iPhone 4S, my hopes for it immediately and arbitrarily decreased. When it was officially announced, my confidence in Apple’s ability to continue to innovate and break new ground not only with the iPhone itself, but the iOS platform, waned substantially. Apple broke its release schedule and waited until Fall for this very incremental upgrade? I can scarcely understand what took Apple so long.
If this phone had been released in June, my reception may have been a bit warmer. But given the pace at which smartphones are evolving, Apple will already be feeling the pressure from new Android handsets not a few months from now, but a few weeks. This isn’t good. It isn’t good for Apple, and it isn’t good for their carrier partners. We knew there was a strong possibility that Apple would release an incremental upgrade to the iPhone 4, but we expected a much larger increment, if you will.
The release of the iPhone 4S will pit it squarely against the various carrier-branded versions of Samsung’s Galaxy S II, Google’s upcoming Nexus Prime handset on Verizon, and a litany of devices in the pipes from the likes of Motorola and HTC. Phones with high definition 720p displays. Phones with even more powerful dual core processors. Phones with Google’s much-awaited Ice Cream Sandwich release of the Android OS – the single biggest visual revamp of the Android OS for phones to date. Some of these phones will be, in terms of a number of on-paper specifications, bigger and better than the iPhone 4S.
While Apple’s device remains the king of the hill in terms of battery life, camera, display pixel density, and internal storage offerings for now, there’s no doubt that this is the least competitive iPhone to be released to date. Here’s why.
via Editorial: 5 Reasons Why I Think The iPhone 4S Is The Least Competitive iPhone Yet.
HTC screwed up big time here. If you are using the stock HTC Sense UI(and most folks are) they have enabled a backdoor into the phones base operating system that essentially allows any app with simple permissions to sniff everything on or about the phone and send it back. Android itself is not at fault HTC made modifications w of Android that caused this.
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
That is not the case. What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails.
But that’s not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):
active notifications in the notification bar, including notification text
build number, bootloader version, radio version, kernel version
network info, including IP addresses
full memory info
CPU info
file system info and free space on each partition
running processes
current snapshot/stacktrace of not only every running process but every running thread
list of installed apps, including permissions used, user ids, versions, and more
system properties/variables
currently active broadcast listeners and history of past broadcasts received
currently active content providers
battery info and status, including charging/wake lock history
and more
I have to thank my sister in law for this tip. It turns out smartphones embed gps data into every picture they take. Once you post this online that information is easily accessible and points to the EXACT location of where that picture was taken. The site icanstalkyou.com gives information on how to disable geotagging of pictures. Andriod phones are the easiest to kill only camera geotagging whle iphone/ipods are the most difficult.
On my Driod based phone store location was already off..:)
And there were 3…Sprint, ATT, and Verizon. Nearly every other carrier buys time form one of these big three. I’m wondering how much longer will Sprint hang in there?
AT&T agrees to buy T-Mobile from Deutsche Telekom — Engadget.
I had a Deacon at my church today ask me about getting audio streams from emergency scanners onto his phone. I said no problem and that I would take a look at it. I fired up blackberry app world. After I had the Deacon enter his password it asked for permission to load an update. I said no to this as Blackberry Curves are not the most stable phones in the world. The phone locked up when loading the app world. Upon rebooting the phone I got a jvm error 102 error. Google research showed this to be a corrupted file on the phone. After following a few more links I figured out the file that was corrupted was a critical system file that could not be deleted. I talked with my wife who manages nearly 100 of these 8330′s and found this file corruption is not uncommon when they reach 1.5 years or higher. I installed the Backberry Dekstop software as well as the jl_cmdr software. After an hour i could not get the phone to reveal it’s filesystem. I finally told the Deacon I had to hard reset the phone. He agreed. 10 minutes later…no dice. The only option is a full wipe from jl_cmdr. The Deacon reluctantly agreed. After the wipe was done I got an error 502 which means no OS. I connected the phone to my laptop and loaded the latest version of BB OS available for his phone 4.5.x. nearly an hour later..the phone was back with his documents, e-mail settings, phone registration, pictures and video intact. Address book was empty though. I then installed his apps(that were still there on the phone just not installed). The phone had at least been returned to operational condition without loosing absolutely everything. While he does have to re-customize his phone and try to rebuild his contacts his phone is at least operational. three hours of work proved to be very very worth it. One, I got the Deacon’s phone operating without him having to replace it out of contract and two, I gained very valuable experience “hacking” these minuscule computers called smartphones.