backtop


Print 31 comment(s) - last by flash2011.. on Dec 13 at 12:54 AM

Code sloppily, pay the price; or as a source puts it "It really appears like Carrier IQ got screwed by HTC."

Cautionary lesson to programmers: code sloppily and it may cost your business dearly.  

One line of code, presumably authored by HTC Corp. (TPE:2498) appears to have been the spark that ignited a wave of press and public hysteria regarding smartphone privacy invasions and a world of woes for HTC, a small telemetry company called Carrier IQ, and Carrier IQ's numerous industry partners.

(Ed./Update V2-  Based on a bit more research, I added theory on the potential of a reference design from Carrier IQ, a case that would send some of the blame back to Carrier IQ (though HTC appears to be the primary negligent party in this one-line botch job.)

I. The Panic

Customers are already queasy about data mining, regardless of whether it is for the purpose of improving products or for financial gain.  While there's always the assurance of anonymity, customers fear -- and perhaps justifiably so -- that their private data could be exposed or maliciously exploited by data miners.

On the surface it appeared that those worst fears were confirmed over the course of the past couple months, when it was found that telemetry firm Carrier IQ appeared to be printing a host of private data to the debug stream in Android, accessible by other apps.  Media jumped to the conclusion that ALL Carrier IQ apps must be doing the same, and the hunt was on for Carrier IQ on various smartphones.  

The search yielded results.  Carrier IQ was found on Android, on the iPhone, and more.  Meanwhile media and members of the public jumped to more and more wild conclusions.  As one reader wrote in my previous post on Carrier IQ:
They are reading every key press, that is an epic fail. It is beyond a significant security/privacy issue...

The only problem is that nobody bothered to dig into the actual code and see if that claim was right.  Or almost nobody.

I started decompiling the pieces of Carrier IQ last week, and while my analysis of the three programs...

/system/bin/iqfd
/system/bin/iqd
com.htc.android.iqagent

... off a newly rooted EVO 4G device I have access to is ongoing, the early results indicate that another member of the security community who also went to the trouble of actually bothering to look at the code -- Dan Rosenberg -- was correct in stating that there's no evidence that Carrier IQ is exposing customers' private information to malicious third parties.

II. The Breach

But what about the debug stream information?  That's a huge security flaw [PDF] in its own right, correct?

Of course it is, but it's important not overblow the security risk here.  Here's the compromise scenario:
  1. IF you install an app with debug permission android.permission.READ_LOGS in its AndroidManifest.xml ...
  2. AND IF you run that app...
  3. AND IF it's malicious...
  4. AND IF it or some other installed app from the same malicious party, which is also installed and running have network permissions ( android.permission.INTERNET)....
Then yes, absolutely your private data (specifically GPS position, SMS text contents, URLs, including uncensored HTTPS strings, and numbers dialed) could be captured, packaged, and sent out to a malicious third party.  Again, let's consider the worse case scenario if this happens:
  1. IF you use an https encrypted website (there's no keylogging outside the dialer app so apps are safe...)...
  2. AND IF that site doesn't properly censor your username and/or password in its string after the base domain in the https URL...
  3. AND IF all of the above (debug app, internet permission, malicious) is true, you could lose your username and/or password to a malicious party.
Again it's easy to overstate the risk, but any data loss is unacceptable, so let's for now consider this an atrocious security breach, even if it only affects a handful of customers out of millions of subscribers.

III. The Blame

So who's to blame?

Dan Rosenberg argued that "com.htc.android.iqagent" was the sole work of HTC, and that it was the app to blame for egregious data prints, but that Carrier IQ's core apps (iqd and iqfd) didn't log any of this information, and didn't even pass along all the things the HTC app was printed (i.e. it did pass along URLs, but didn't pass along text message contents, etc.).

Anyhow the important point Mr. Rosenberg raised is that the exposure of this data to malicious third parties via the debug stream was the (accidental) work of HTC -- NOT Carier IQ.  

And while I was unable to confirm definitively that Carrier IQ was indeed solely authored by HTC, the nature of data flow, the code itself, and even the title seemingly suggests that HTC is the primary author of this code.  And those egregious prints?  

Ed. - I added this thought upon further examination of anothe CIQ code...
Of course this code looks an awful lot like a reference design from Carrier IQ, given its similarities to code seen elsewhere on Samsung Electronics Comp., Ltd.'s (KS:005930) devices.  If this is the case the blame becomes a bit more complicated --  Carrier IQ may have had the debug statement turned on in the reference design it may have been given by Carrier IQ, but it clearly modified the code and was responsible for the finished product.  Why didn't it have the common sense to turn off the debug flag?

They all come down to one fateful line:

protected boolean DBG = true;

(found near the top of com.htc.android.iqagent (class AgentService)

Which rears its ugly head in this conditional:

public void handleMessage(Message paramMessage)
    {
      super.handleMessage(paramMessage);
      AgentService.this.result = Controller.IQInit();
      Intent localIntent = (Intent)paramMessage.obj;
      if (AgentService.this.DBG)
        Log.v(AgentService.TAG, "Action[" + AgentService.submitTime + "]:" + localIntent.getAction());

For the non-Android developers out there, here's what the code cumulatively does:  
  1. The HTC program (Ed. - perhaps based on a Carrier IQ reference code) gets a message from another HTC program or a program it modified to gain access to additional information (such as the default webkit browser).  
    NOTE: Obviously it can only make these modification to core system apps it distributes on its smartphones, not apps downloaded from the Android Market. 
  2. It starts the main Carrier IQ app (in /system/ on HTC devices).
  3. It sends an Intent for the main Carrier IQ to read and log, echoing the data it received.
  4. It checks to see if the debug flag is set.
  5. If this flag is set, it writes a log to the system's debugging cache file with the full details of the Intent (which include various juicy details like SMS contents, etc.).
The problem?  The debug flag is set in the production build.

IV. The Aftermath

If HTC had not left this flag set, perhaps somebody someday might have found out about Carrier IQ.  But the security flaw in the debug stream would never have existed.  And it would have been unlikely that novice developer Trevor Eckhart would have found it while poking around in the debug log -- because nothing would have been printed to the debug log.  And the public witch hunt against Carrier IQ never would have ensued.

Of course this was probably just a careless, but innocent accident on the part of some HTC developer.  But it was a costly one, one that sent ripples of fear, uncertainty, and doubt through a public already fearful of data mining.

That line of code would lead to a world of hurt.

A source close to another devicemaker seconded Mr. Rosenberg's opinion that the module in question appeared to be HTC code and not Carrier IQ code,  when I showed them it.  After showing them the fateful line, they remarked, "It really appears like Carrier IQ got screwed by HTC."

"Screwed" indeed.  Who knows how much business Carrier IQ has lost because of this mess.

Perhaps that explains the dumbfounded statement of Carrier IQ spokesperson Andrew Coward (a special thank you to Network World's Senior Editor John Cox who pointed me to this quote during a discussion),"We're as surprised as anybody to see all that information flowing.  It raises a lot of questions for the industry -- and not [only] for Carrier IQ."

V. The Blame, Redux

The bottom line here is that it increasingly appears that there's a strong likelihood that Carrier IQ was not the one directly responsible for the inadvertent exposure of private data.  The direct responsibility falls on HTC and likely HTC alone (Dan Rosenberg does not mention finding a similar flaw in Samsung implementation of the data passer).

But in terms of a more broad umbrella of responsibility, there's two perspectives you can take here:
  1. The "Tank Argument:
    I made this argument to a colleague, writing about the data breach.  The premise here is that Carrier IQ is somewhat to blame for the products it puts out jointly with its partners, even if the partner made the component that did the damage.  

    I give the analogy of a tank software maker who passes the responsibility of firing the main gun to a third-party who then botches the job and delivers a code that unbeknowst to testers on an extremely rare but predicable occasion erratically fires due to a known bug.  Servicepeople die and the software is scrutinized.  The bug is found and the families of the deceased sue the tank software company AND its partner, even though the partner wrote the flawed subprogram.  The main program maker should have kept track of what was going on its joint finished product, the lawyers might argue.
     
  2. The Small Developer, Big Developer Argument:
    Even with all its recent success Carrier IQ has no where near the resources of HTC.  So you could make the counterargument that HTC's faulty software should be blamed on HTC alone as Carrier IQ as a (respectively) smaller third party who services scores of different device makers and carriers doesn't have the time to individually monitor its partners' associated codes for flaws (and perhaps doesn't even GET uncensored access to these partner codes).  

    This is certainly a fair argument as well.
(Ed. - If my reference code hypothesis is confirmed, this offers some additional stock in the philosophical argument that Carrier IQ should be partly to blame, even if HTC was negligent and lacked common sense in modifying the reference design.)

Whichever argument you buy, the Carrier IQ mess does paint an interesting picture:
  1. HTC accidentally leaves its debug on in a single line of code, exposing Carrier IQs metrics (and more) to the world (and malicious parties).
  2. A non-developer media fails to properly research the issue and assumes its endemic to all Carrier IQ devices (or at least all Android devices) and goes wild, accusing Carrier IQ of installing rootkits and violating user privacy.
  3. A non-developer public fails to understand this is an HTC issue and panics, when in many cases they are at no risk.
  4. Carrier IQ potentially loses millions in business.
Now the exposed information does offer some decent philisophical debates (albeit at the cost of Carrier IQ, et al.'s financial well-being and creation of perhaps unwarranted paranoia among non-HTC device owners):

Should Carrier act as a platform manager and collect anonymized data further safeguarding privacy?

Or...

Should they act as a dumb pipe at the cost of perhaps providing inferior service that might have been improved by telemetry?

The debate is analogous to the question on the merits monitoring/usage data collection in an IT setting, given that your devicemaker and/or carrier are in effect your smartphones' administers and you're just a user, unless you hack your phone and root it. (Hence why Carrier IQ is not a rootkit, even if it keylogs -- it was installed by the administer of the device -- that's the fundamental difference between an administrative monitoring software and a rootkit, by definition.)

The question in IT terms would be something like:

Should an IT department monitor users, at the cost of privacy, in order to counter extreme abusive misbehavior and/or improve service quality?

Or...

Should they act as a dumb pipe at the cost of perhaps providing inferior service and potential abuse?

The world of commercial IT computing has virtually unanimously voted in favor of the former approach -- active administration.

But hey, perhaps the smartphone, despite being an analogous situation (customers wanting to pass of the icky administrative responsibilities on to a service provider who lowers the customers' permissions to user level) -- should be handled differently.

It's a good philisophical debate to be had.

But members of the public and media, please, let us be rational and look at the actual code before we pass judgement and condemn Carrier IQ, Samsung, or anyone else.

APPENDIX:

Methodology:
In my past piece, I relied primarily on the debugging cache a built in log file readable by Android apps or PC-side developer tools like ADB. I personally used "Catlog", a free app by Nolan Lawson, for convenience.  When verifying that it was com.android.htc.iqagent that was doing the talking, I used "Process List" by Tak Kuji to grab and match the pIDs in the log.

In this followup I:
  1. Root my test device.
  2. Mounted in ADB and transferred the appropriate .apk (iq-related) off the phone.
  3. Opened a cmd prompt
  4. (Windows button > type "cmd" in the bar)
  5. Turned the .apk files into .zip files via a rename.
  6. Extracted the contents to a folder. 
  7. Ran dex-translator-0.0.9.3 (free: from a Google Code project) on the classes.dex compressed .jar file:
    QR code --- dex translator
  8. Ran jd-gui.exe (free: from a French developer) to view the resulting classes-dex2jar.jar file.
  9. Poked around in the code!

You can of course try this for yourself and test it out on your Android smartphone of choice.  But beware of the following:
  1. Rooting devices voids their warranty (though a reinstall of the factory rom could obfuscate that fact, should you need a repair... hint, hint).
  2. Decompiling apps you did not make is a gray area of the law.  Typically it's viewed as legal for security researchers.  But be aware that it is a sort of hazy region if your ultra-worried about liability.
Happy reverse engineering!


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By JasonMick (blog) on 12/9/2011 8:15:27 PM , Rating: 2
quote:
When a code library is written and given to another person to implement, it is 100% this other person's choice how to implement the library. While the original writer will often give samples showing a sample implementation or even in a few cases, help the implementer directly, it is always the implementer's responsibility to verify that the implementation is appropriate for their intended use.

To say Carrier IQ cares any blame for how HTC implemented their code is incorrect, as they had no control (and probably no knowledge) over how HTC decided to implement their code.

True, but I've seen a copy of the Samsung Carrier IQ source and it's very similar in calls/structure to the HTC code though it also has some key differences.

That leads me to believe that the code in question is a reference design, originally written by Carrier IQ, but modified by HTC. I could be wrong on that hypothesis.

If this was the case, would your perspective change?

Don't get me wrong... I still personally believe the primary party at fault was HTC for lacking common sense of removing sensitive debug logic from a production code.

But if Carrier IQ wrote the code that's printing the debug with the intention (likely explicitly voiced to OEMs), that they should turn it off once their designs were complete then perhaps, it is in a way CIQ is to blame too, albeit in a lesser regard.


By Trisped on 12/11/2011 9:42:09 PM , Rating: 2
quote:
That leads me to believe that the code in question is a reference design, originally written by Carrier IQ, but modified by HTC. I could be wrong on that hypothesis.

If this was the case, would your perspective change?

If Carrier IQ wrote sample code which included writing to a debug stream all values passed in, when these values often contain sensitive information then I would say Carrier IQ had done wrong, though the full fault of the problem would still be 100% HTC's because it is the implementer's job to make sure the code sample is implemented appropriately for the intended use.

That being said, debug logging systems are usually unique for each application. Some times they are written to a flat file, an xml file, a SQL database, or some other method. For Carrier IQ to specifically indicate how to log debug data would indicate that they would know how all users of their code log this information. My experience with Android is limited, but I do not think there is a generic, always used, debug logging system. If there is an Android debug logging system, I would suggest lobbying Google to make it easier to tell when software is released with debugging on. Weather there is such a system or not, it is still 100% HTC's fault for the unsafe release.

What is more likely is either HTC was having trouble debugging and asked Carrier IQ for assistance (not likely), or Carrier IQ's sample code had a line comment indicating that debugging information could be added here (also not likely), or HTC added their standard debugging code to the Carrier IQ sample code to help them verify the information was being processed and reported as expected.

I cannot think of a reasonable condition where code written by HTC which resulted in a security breech would be the fault of Carrier IQ.


"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki