Catch and kill the Carrier IQ spyware

CIQ must die

Carrier IQ is a spyware company that deserves to be sued straight into bankrupcy, and its owners should go to jail. Their product is a piece of spyware that comes preinstalled on many Android phones, iPhones, Blackberries , and Nokias. It reads all sorts of private information (location, web surfing, text messages, keystrokes, emails) behind your back. It even logs data sent over https as plain text, which defeats the purpose of end-to-end encryption used by PayPal, banks, webmail, etc.

CIQ phones home to Carrier IQ, Inc., which hands the info to its customers. Your data eventually ends up at phone manufacturers and operators. It's meant to improve cellular service, but it can collect such a truckload of sensitive data that it would make Big Brother drool like a little baby. CIQ should be killed like any other virus. Its makers deserve a slow and painful death.

For a detailed but non-geeky description of CIQ check out The Rootkit Of All Evil: CIQ on the xda portal. For all the gory details in geekspeak dive into the full CIQ discussion on the xda forum.

Trevor Eckhart (TrevE on the xda forum) discovered and exposed CIQs dirty business. Carrier IQ, Inc. obviously didn't like to have their crimes exposed. They even threatened to sue Trevor into silence, but after free speech organisation EFF got involved CIQ had to back off and shut up. That's a good start, but not enough. Carrier IQ should shut their mouths and shut down their business. Let's hope the legal system does the right thing and kills CIQ.

Many Android and other phones are sold with CIQ straight out of the box. There's usually no way to opt out from being spied on, and no way to get rid of this piece of junk unless you root your phone, alter the system files, and void your warranty.

If you bought your phone from an american wireless operator it's probably infected with CIQ. Infection rates in the rest of the world are lower. For example, the major operators in my country (The Netherlands) don't use CIQ. Europeans are still at risk, though. Vodafone Portugal is in bed with CIQ, which probably violates all kinds of european privacy laws. And it's not just network operators that shop at CIQ. Phone manufacturers like HTC and Samsung include CIQ or similar junk, so even if your phone is not carrier-branded you may still be spied upon.

How to catch the thief?

CIQ is a rootkit that hides itself from you. It won't show up in task managers, it doesn't have an icon in your app drawer, and you'll never know it's running unless your tech skills are well above average. On some phones it may show up as IQ Agent in the application settings, but it could also be running completely invisible unless you use third party tools to hunt it down.

The best way to catch the thief red-handed is with the Logging Test App from TrevE. This app catches CIQ and many other logging apps that may (or may not) be running on your phone.

You can also check for CIQ with Any Cut. If Any Cut offers to create shortcuts to IQRD and IQAgent your phone is infected.

Update: now that CIQ-gate made the mainstream media all kinds of new CIQ detecting apps appear on the market. Voodoo Carrier IQ detector is an open source app to catch CIQ. Although it's still a work in progress it is a lot more user friendly than the geeky app from TrevE. Another app to catch CIQ is Carrier IQ Detector from Lookout Labs, built by the company that makes Androids most popular free antivirus app. Virus killer Bitdefender made a CIQ detector too.

Kill the beast

You'll need root access to kill CIQ, and all ways to remove CIQ from your phone will void your warranty. Before you start, make sure to back up your system software just in case you need to get your hardware fixed.

Flashing a custom ROM like CyanogenMod will remove CIQ. Other custom ROMs are usually CIQ-free too. Keep a backup copy of your stock ROM in a safe place just in case.

The free version of the Logging Test App can detect CIQ for you, but it won't touch it. The Logging Test App can kill CIQ, but only if you upgrade to the paid version (one dollar). Warning: all phones are different, so the Logging Test App may not work on your phone or even brick it. Make sure you have a full system backup just in case the Logging Test App makes your phone unbootable.

You could try to sue your mobile operator or phone manufacturer to recoup the cost of the Logging Test App, but that would only work if you join a class action lawsuit. Of course you could buy the app from the Android Market, use it to get rid of CIQ, and then use the 15 minute window to get a refund. Or just keep the app, because removing CIQ is just one if its many useful features.

Removing CIQ by hand is possible, but very difficult. You can't just rename or delete the app files, because CIQ is integrated into your web browser, dialer, kernel, media player, SMS app, and other places. You'll need to extract all those bits and pieces, patch them, and flash them back into your phone. This keeps manual removal out of reach of everyone except a handful of experts who know how to edit source code. If you want to give it a shot anyway, start with this CIQ discussion on xda. It's very HTC-centered, but it should give you an idea where to look on other phones too.

Tame the beast

Although CIQ is very hard to remove, there's another way to stop it from phoning home. Just make sure it doesn't run. Your phone needs to be rooted to keep CIQ under control.

You can freeze its background processes with Titanium or MyBackup. The names of the processes depend on your phone, look for IQRD, System Manager (yes, really), IQAgent, or HTCIQAgent. Too bad that freezing apps only works with the paid versions of Titanium and MyBackup.

You can freeze CIQ for free grab with Bloat Freezer, but the business ethics of the maker of Bloat Freezer are as bad as those of CIQ.

Carrier IQ Process Killer kills CIQ when it tries to run. It won't restart until you reboot your phone, and then you can kill CIQ again. Anti Carrier IQ does the same.

find CIQ

• Carrier IQ Detector (from Lookout Labs)
• Bitdefender Carrier IQ Finder
• Voodoo Carrier IQ detector

find and kill CIQ

• Logging Test App by TrevE (finds CIQ for free, removes it for a dollar)
• Android Security Test (Trevor Eckharts Logging Test App site)
• Carrier IQ Process Killer
• Anti Carrier IQ
• CIQ discussion on xda (warning: full of geekspeak and raw code)

more about CIQ

• The Rootkit Of All Evil: CIQ (xda on CIQ in non-geekspeak)

Kill WiFiKill with Wifi Protector

WiFiKill turns Android phones into rogue access points that can hijack your WiFi to break your internet, spy on you, steal passwords, and more. And there are other apps that do the same evil things.

But you can fight back! Wifi Protector looks for suspicious network behaviour and warns you when things smell fishy. If your phone is rooted, it can protect you against attacks in addition to warning you.

Wifi Protector doesn't always detect bad access points. It knows when a good access point turns bad, but it won't protect you if the network is already compromised when you connect to it for the first time. If a known network (or the network at your office or school) goes bad Wifi Protector will usually do the job, but when you walk into a coffeeshop with an unknown network already under attack Wifi Protector doesn't always see the danger.

Even though it's a bit leaky, Wifi Protector adds an extra layer of security which is better than nothing, and the latest update gives you a chance to detect an ongoing attack. Just keep in mind that it shouldn't be used as a substitute for your brain. The same goes for all security apps, because no safety net is completely without holes.

Autostart is optional. If you move out of a suspect location into a safe place the background service keeps running. Wifi Protector eats a lot of memory (and causes a bit of network traffic), so if you want to save memory and battery you'll have to close it yourself. The off switch is hidden in the menu of the expert mode screen. It would be better if there was an off button in the main screen.

Wifi Protector costs a euro if you get it from the Android Market, but it's free if you download it from the xda forum.

• Wifi Protector (xda forum, free, download link at the bottom of the opening post)
• Wifi Protector (gurkedev, not free)

Other apps to protect your phone against the bad guys:
• LBE Privacy Guard
• DroidWall
• AdAway

CoboltFM: free last.fm on all Android phones everywhere

Update 1: CoboltFM and KLastFM are dead. Last.fm changed things for the worse and pulled the plug on free streaming for almost everyone. Believe it or not, most of the planet can't stream anymore even if they pay. Last.fm refugees can still stream custom radio stations from Grooveshark with Dood's Music Streamer.

Update 2: Liquid Bear still plays last.fm radio on Android.

Streaming tracks from last.fm is free if you're in Germany, the UK, or the USA. The rest of the world has to pay for it. If you're not in one of the three "free" countries, you can't stream last.fm on your phone, not even if you pay.

This is totally wrong! The internet was never meant to be crippled by borders and other geographical restrictions.

KLastFM solves the problem for Android by letting everyone stream last.fm radio. No matter where on the planet you are, you get the same free streaming radio stations that the germans, english, and americans get on their computers.

But KLastFM is not a very nice app. It has an ugly user interface, erratic scrobbling, and it comes with a very annoying ad banner that screams to be blocked by AdFree or AdAway.

Enter CoboltFM. It looks better, is more stable, doesn't have any ads, and the source code is freely available for everyone.

CoboltFM precaches tracks for seamless switching to the next song. It used to vibrate when loading or changing tracks, but after I complained about it in an Android Market comment the makers of Cobolt added an off switch to get rid of the shakes (thanx for that, Cobolt!). The icons are big, which is nice but makes it a little bit too easy to love, ban, or share a track by accident. CoboltFM would be better if the less frequently used buttons (love, ban, share) are a lot smaller than pause, stop, and next.

A nice touch is the "show profile page" button in the menu, which takes you straight to your last.fm profile in your default web browser.

If your launcher lets you change icons, you may want to replace the CoboltFM icon by something that looks like the last.fm logo. I use the last.fm icon from the GO Launcher EX theme RBW.

The verdict: CoboltFM is better than KLastFM, and if you're in one of the over 200 countries where last.fm won't stream to your phone, CoboltFM is infinitely better than the official last.fm app.

• CoboltFM (Android Market)
• CoboltFM (CoboltForge)

Want more?

• KLastFM (last.fm), QueueTube (YouTube music clips), Dood's Music Streamer (GrooveShark)

Update 1: CoboltFM and KLastFM are dead. Last.fm changed things for the worse and pulled the plug on free streaming for almost everyone. Believe it or not, most of the planet can't stream anymore even if they pay. Last.fm refugees can still stream custom radio stations from Grooveshark with Dood's Music Streamer.

Update 2: Liquid Bear still plays last.fm radio on Android.

File manager ES File Explorer adds more cloud: now talks with box.net too

ES File Explorer is an excellent app to manage the files on your SD card, and if your phone is rooted it lets you into your system files too.

It doesn't stop at your phone. ES File Explorer doubles as an FTP client (not as an FTP server, though), receives files over bluetooth, talks to Samba servers, and it connects to your Dropbox and SugarSync cloud storage as if they were standard FTP servers. The latest update got even more cloudy: now it does box.net too.

Something that didn't change: the plugins. The most useful are the app manager to back up your apk installers, and the bookmark manager to send shortcuts to your files to your home screens.

It still makes and breaks ZIP archives, and it unpacks RARs.

A great app indeed, but it has one bad habit: mystery network traffic when you enable root access. Does it collect usage statistics or what? If all of you ask about it in your Android Market comments or email to the developer (contact@estrongs.com) maybe we'll find out?

• ES File Explorer (Android Market)
• ES File Explorer (EStrongs)

Dolphin Browser phones home again, here's how to stop it

When Dolphin Browser was caught sending your entire surfing history to its webzine server they got so much bad publicity that they had to clean up their act real quick. You'd expect that they learned something from that fiasco, but they didn't.

Dolphin HD version 7.1.0 was caught spying on the same day that it was released.

The new Dolphin sends your Android ID (a number that stays with your phone forever), a Dolphin client ID, your carrier and phone specifications to https://tracken.dolphin-browser.com.

Well, at least they use encryption. And the information isn't really that sensitive. Still, they frequently grab usage statistics and information about your phone without letting you opt out.

Of course you can opt out yourself. The obvious method is to remove Dolphin from your phone, but then you miss out on all its features which leave the competition in the dust. A better way to stop Dolphin from phoning home is to block the target URL in your Android hosts file. This file is usually in /system/etc/hosts. You can edit it manually, or feed the offending domain names to the blocklist of AdAway. Either way, you'll need root access. The URL to block is tracken.dolphin-browser.com.

To cut the line between Dolphin and its maker add these three lines to your hosts file or block the domains with AdAway:

127.0.0.1 tracken.dolphin-browser.com
127.0.0.1 en.mywebzines.com
127.0.0.1 pnsen.dolphin-browser.com

The first line stops usage stats collection. The second line cuts off URL collection by the webzines server (Dolphin stopped sending it, but you never know if it comes back). The third line prevents the popup that begs you to rate Dolphin in the Android Market.

Phoning home is not the only new feature of version 7.1.0. The update allows importing bookmarks from Dolphin Mini, deleting bookmarks from the side bar, picking a different search engine if you don't like Google (you can choose Bing and Yahoo too), and some bug fixes under the hood. Too bad for Dolphin that its data grabbing will get much more attention than the bookmark and search improvements.

Dolphin still doesn't encrypt its backups, so if someone steals your phone they can pull all sorts of private info from your SD card, even if your phone is locked.

Update: Dolphin finally encrypts your backups!

Gesture commands, tabs, plugins, bookmarks sidebar etcetera make Dolphin an excellent mobile web browser, but the way it handles security and privacy is unacceptable. It shares its bad habits with plenty of other Android apps, so root your phone and protect it with electronic condoms like AdAway, DroidWall, and LBE Privacy Guard. Android and its apps need a permanent reminder that it's your phone and your data.

• Dolphin Browser HD

CSipSimple adds plugins for Skype and other VoIP services

Open source VoIP app CSipSimple is not affiliated with any VoIP provider, so it doesn't favor one over the other like Nimbuzz and fring do. Because it doesn't route your calls through its own servers it sounds a lot better than the competition. It integrates with your native dialer app unless you tell it not to, in which case it stays out. Other features include switching off your ringer when you're on a VoIP call to keep incoming calls from blowing up your ears, a clean uncluttered user interface, and support for multiple simultaneous calls.

The latest update adds a new low bandwidth codec for when you're on a slow 3G (or worse) connection. Combined with a new echo killer your calls will be friendly for your ears even if your internet is as slow as the government.

But the real big change in CSipSimple is a new set of plugins. There's a plugin for Betamax. Nope, that's not the old and extinct VCR format, but a collection of SIP providers like VoipCheap, 12voip, and dozens more. Of course you could already use all those SIP services with CSipSimple, but with the new plugins you can now also use their local access numbers and callback service. This can be useful if your mobile carrier doesn't allow you to use classic VoIP over their data network or if you're about to hit your data limit.

The other plugin is for Skype. This first version just launches the Skype client if you pick a Skype contact from CSipSimple, so you need to have the official Skype app installed on your phone. Maybe one day CSipSimple will add the Skype support that Nimbuzz and fring had to drop?

• CSipSimple (Google code)
• CSipSimple (Android Market)
• CSipSimple Skype plugin (Android Market) Update: the Skype plugin has been removed from the Android Market.
• CSipSimple Betamax plugin (Android Market)

Mess up your pictures with Mosaic Wallpaper

Have a picture that's too ugly to use as a wallpaper on your phone, but you want to use it anyway? Then Mosaic Wallpaper is for you.

Mosaic Wallpaper has plenty of image effects to alter your pictures beyond recognition. Circles, stripes, spirals, or just cut it up in little tiles like Antoni Gaudí used to do. You can use the results as a background for your phone, or for anything else.

The image from the screenshot comes from Vladstudio, a great site to grab backgrounds for your homescreens and desktops. I wonder if Vlad would recognise the picture without sneaking a peek at the original image first.

• Mosaic Wallpaper (Android Market)
• Vladstudio

Even more evil: WiFiKill lets you kidnap your victims to your IP address

How to be an obnoxious little brat?

WiFiKill turns your phone into a rogue WiFi access point. It drops the packets of every computer, phone, tablet or other device that you choose to block, so if you want to keep your boss, kids, neighbours, or everyone else around you offline then WiFiKill is your weapon. You can kill all wireless networks that you can connect to, no matter if they're encrypted or not.

More evil

The latest update lets you be even more evil. You can still make your victims think the network is broken, but now you can also redirect unsuspecting surfers to any IP address you like. Virus servers, spam sites, fake login screens, or just an innocent "pwn3d! ur internets are belong to us" page, anything goes. If you want to be an annoying teenage douchebag nothing can stop you, no matter how old you are.

Well, something can stop you. WiFiKill doesn't spoof your MAC address (not yet, but who knows what the next update will bring?) so you may get caught, kicked from the network, lose your job, or get shot at dawn. If you have a brain, switch it on before you switch on WiFiKill. If you don't have a brain then go buy an iPhone.

Another new feature: WiFiKill checks for updates on launch. You can't switch it off, but if you're really paranoid (and you should be!) you can block the update URL in your Android hosts file. You can either edit your hosts file with a text editor, or just use the blacklist option of AdAway. Even easier: block WiFiKill with DroidWall. This disables the update check, but you can still use the app to kill the internet of those around you.

Bad advice

Redirecting traffic to your IP needs a bit of digging in the dirt. Fire up the settings screen, scroll down to the killing rules, switch "use iptables" on, choose the "drop + redirect" method, and then set the IP address to which you want to redirect your friends (soon to be your enemies).

WiFiKill loads a long list of hardware vendors so you can see who made the devices connected to the network. This is real slow, so disable the vendor list if you don't want to wait. You'll only see MAC addresses, not device types, so switch the vendor list back on if you want to kick all iPhones offline without touching the Androids. And keep in mind that WiFiKill also kills your battery because it turns your phone into a bad router. Your phone and your battery will get hammered by every device that connects to you.

You need a rooted phone to play evil games with WiFiKill. Needless to say, Google booted the app off its market real quick so you have to download the APK from somewhere else. The free version has ads, but it's easy to kill them.

• There are different versions of WiFiKill. To find out which version suits you check out this new story on the new (and old) WiFiKill.

LBE Privacy Guard adds data management and DroidWall functions

Too permissive

A major design flaw in Android is the way it handles permissions for apps. When you install an app it asks for permissions to go online, read your private data, get your location, and lots of other scary stuff.

The problem is that your choice is limited to all or nothing. You can either grant an app each and every permission it asks for, or you can choose not to install the app at all. There's nothing in between, and for preinstalled apps you don't get any choice at all. Give 'em a finger and they take the whole hand.

That's why there are apps to fill the gap. None of the permissions managers, firewalls and ad blockers works without root access, so there's yet another good reason to root your phone.

Just say no

Permissions Denied is an app to revoke permissions. Recent versions of CyanogenMod 7 have a built-in permissions manager. Unfortunately those apps really deny permissions, which crashes apps that don't know how to behave when they hear the word "no."

LBE Privacy Guard thinks different. It doesn't deny permissions outright, it simply makes apps believe they still have the permissions that you took away from them. For example, when an app wants to read your contacts list against your will, LBE Privacy Guard feeds the app an empty list. It uses the same trick to protect your messages, location, phone number, IMEI, email, phone bill, etc.

Totally new

The latest update of LBE Privacy Guard is so new that you can't update the old version. Version 2 gets installed as a new app that won't coexist with LBE 1, and your old settings won't carry over either. Upgrading means that your old copy gets bumped off your phone and you'll have to reapply all your granted and denied permissions.

But upgrading is worth it. The new LBE is faster, eats less battery and memory, has a cleaner interface, and comes with new features. Good news for CyanogenMod users: LBE now works on CM7 too.

The main new feature in LBE Privacy Guard is a DroidWall-like firewall which can keep apps away from WiFi, mobile data, or both. It doesn't have the custom rules and blacklist/whitelist options of DroidWall itself, so you may want to keep DroidWall together with LBE.

LBE 2 can also monitor your data usage, and warn you when you're about to go over a preset limit. That might be useful for some, but there are better data managers out there.

Totally old

Some things didn't change. For most permissions you get three choices: permit, deny, or ask me everytime. The exception to the rule is the Phone ID permission (to keep your IMEI, IMSI, and phone number away from spammers). Phone ID permission can be either on or off, but the "ask me" option is missing. Its default setting is "allow."

LBE Privacy Guard won't let you protect its settings with a password, but there are apps out there that can lock down other apps if you need to put a lock on LBE.

Of course LBE Privacy Guard asks for a lot of permissions itself. It needs most of them to do its job, but it doesn't need internet permission. You can take LBE out of your list of trusted apps and tell it not to go online, or blacklist it in DroidWall. So far I didn't detect any unsollicited internet access, but for apps with root access you never know. What would happen on a level playing field where one app with root access (LBE) is kept offline by another app with root access (DroidWall)?

• LBE Privacy Guard (Android Market)

Other apps to keep your phone safe:

• Permissions Denied
• DroidWall
• AdAway (better than AdFree)
• Wi-Fi Ruler
• Flash privacy settings

FileSlick: Android file manager with an eye on looks

There are a couple of good file managers for Android, and a few bad ones too. ES File Explorer is a good file manager, X-plore is pretty good but has a horrible user interface.

Looks and roots

FileSlick is a new file manager which cares a lot about its looks. The first entry in its settings screen is a theme browser, which should give you an idea of its vanity. You can give it a makeover with those themes, and you should because the default theme (text on an image of stones) is a bit of a distraction when you're out to play with your files and folders.

The last entry on the settings screen lets you disable FileSlicks ads without paying. A nice touch, but if you run an app like AdAway or AdFree it doesn't really matter. When you switch off the ads FileSlick pops up a screen asking for a donation (and again everytime you open the settings screen). Whether you put some coins in the tip jar or not is up to you.

Speaking of tip jars: there used to be a time when playing with your system files and folders required paying for Root Explorer. Those days are long gone, because now there are plenty of free file managers with root access. FileSlick is no exception. Tap "root access" in the "Places" menu and you go straight into the guts of your phone. Unfortunately the method to mount files and folders to do something with them is quite counterintuitive, and it doesn't always work. When I tried to rename the files in system/media/audio FileSlick claimed success in a but didn't do anything. You'd expect better from the maker of z4root.

Files and swipes

FileSlick couldn't find any apps to play my mp3s and movies, even though my phone has media players aplenty. As for other file formats, it couldn't find an app to open PDFs (even though I've got Adobe Reader and OfficeSuite Pro on my phone). DOC and XLS worked, PPT did not. Finding out which app can open what format is a hit and miss affair.

FileSlick is not all about looks. Feel counts too, with an emphasis on swiping. Tapping files and folders selects them, opening them requires a swipe, long-tapping doesn't do anything. You'll probably find yourself tapping files and folders and then find them highlighted instead of opened, at least until you get used to the FileSlick way. There's no way to customise the behaviour of taps, long-taps and swipes. I would set swipe to select, tap to open, long-tap to launch the actions menu. You would probably choose something different, so a bit more choice in the settings would be welcome. Maybe in a next version?

In addition to managing files on your phone, FileSlick talks to FTP servers and Samba shares. It also lets you share files over bluetooth, but receiving them is another story. FileSlick is not as full featured as ES File Explorer or FileExpert, but it looks a lot better. Looks are not everything, though. Especially when it's your job to manage files. For all practical purposes FileSlick is still a beta test version with rough edges, but with some extra features and more ways to customise the behaviour of the app it might mature into something useful.

• FileSlick (Android Market)
• FileSlick (xda forum)

The competition:
• ES File Explorer
• X-plore
• File Expert (Android Market)