Advertisement

Carrier IQ references found in iOS 5, probably benign (updated with Apple statement)

Erica Sadun
Senior Writer
Updated ·9 min read

The Interwebs have been abuzz over the last 24 hours about Carrier IQ on Android smart phones, allegedly logging user activity including keystrokes. TUAW can confirm that Carrier IQ appears to be included on iOS 5, but that its purpose is most likely benign.

iOS virtuoso chpwn discovered Carrier IQ support in firmware as recent as iOS 3.x on Apple's devices. TUAW confirmed Carrier IQ references in iOS 5 after reading this post on the MacRumors forum and evaluating the /usr/bin/awd_ic3 file found in the installed OS.

The firmware contains references to Carrier IQ such as this URL included in the binary. We have included a full set of matching strings at the end of this post.

http://collector.sky.carrieriq.com:7001/collector/c?cm_sl=5

In TUAW's look through the binary calls, we found references to collecting carrier telemetry such as local cell tower, signal strength, and your phone number. We found no references to key logging. We did find remote diagnostic calls like CTServerConnectionEnableRemoteDiagnostics.

What's more, the service may need to be specifically enabled. A property list in the "mobile" user library looks like it has to be overridden to allow diagnostic logging.

iPhone # plutil com.apple.iqagent.plist
{
DiagnosticsAllowed = 0;
}

Further, the binary seems to be somewhat poorly maintained. The primary reference to the /var/wireless/Library/Logs/IQAgent/ folder has now been replaced by /var/wireless/Library/Logs/awd in actual use.

Apple's inclusion of Carrier IQ does not, in our first estimation, appear to be a root kit or threaten privacy. We reserve the right to re-evaluate our judgement on that in the future, but for now we don't see much that bothers us. Given what it records, this sounds like the "help maintain network performance" claim made by Jason Gertzen of Sprint when he was asked about Carrier IQ on Android. But even this is cautiously implemented on iOS.

If you want to stay on top of this story, follow chpwn's blog as he continues to investigate.

Update: The Verge reports that in terms of Android, the Google Nexus One, Nexus S, Galaxy Nexus and original Xoom tablet don't have Carrier IQ. So it appears to be OEMs and carriers who are putting this on the phone.

As for Apple and the iPhone, according to John Gruber you can basically opt-out of Carrier IQ by digging into Settings > General > About > Diagnostics & Usage and turn off the "Send Automatically" switch.

Update 2: Apple has made a statement indicating they quit supporting Carrier IQ with iOS 5, and it has never used Carrier IQ to record personal info like keystroke logging, etc. Apparently it will be removed entirely in a future update.

IQ Matches in /usr/bin/awd_ic3 on an iPhone 4 running iOS 5

/dev/dlci.spi-baseband.iq
/var/wireless/Library/Logs/IQAgent/
/tmp/com.apple.iqagent.server
_IQSem_
/tmp/._IQSHM_
N22CIQAgentImplementation13AgentTaskListE
AddUniqueKey
13IQMetricXform
N21CIQForthMetricFilters18ForthMetricHandlerE
30CIQTransactionElementOperators
9CIQObject
16CIQByteStreamOut
15CIQByteStreamIn
18CIQPacketStreamOut
21IQ_ISQAMetricsHandler
14CIQListElement
16CIQMetricHandler
26CIQKeycodeElementOperators
19CIQElementOperators
N7CIQList25CIQVoidPointerListElementE
N7CIQList30CIQVoidPointerElementOperatorsE
16IQ_SQADataStream
11IQ_IWbxmlCb
27CIQTransactionNetworkLookup
13IQMetricCache
17CIQTargetSocketIf
.carrieriq.com
N20CIQConnectionManager28CIQTransactionNetworkHoldoffE
N20CIQConnectionManager26HoldoffTransactionCallbackE
11CIQCallback
18CIQTargetNetworkIf
27CIQTransactionNetworkStatus
30CIQTransactionNetworkOpenClose
N9IQNetwork15NetworkCallbackE
28CIQUploadTransactionProvider
N13CIQUploadHttp32NetworkLookupTransactionCallbackE
26CIQSocketSecureTransaction
27CIQSocketReceiveTransaction
24CIQSocketSendTransaction
20CIQSocketTransaction
N9CIQSocket25SocketTransactionCallbackE
15CIQTargetFileIf
N14IQ_HttpRequest19StreamSocketHandlerE
18CIQ_ISocketHandler
32CIQMetricArchiveCompressedWriter
22CIQMetricArchiveWriter
14IQ_ISQATrigger
12IQ_Component
com.apple.iqagent
com.apple.iqagent.IQAllowedChangeNotification
IQAgent exiting
IQPorting_GetConfigurationString
IQPorting_GetConfigurationString
.carrieriq.com
IQPorting_NetworkInitialize
IQPorting_SelectFirstNetwork
IQPorting_SelectNextNetwork
IQPorting_GetNetworkPropertyInteger
IQPorting_GetNetworkPropertyInteger 0x%08x
IQPorting_GetNetworkPropertyString
IQPorting_GetNetworkPropertyString 0x%08x
IQPorting_NetworkOpen: kSCNetworkReachabilityFlagsIsWWAN
IQPorting_NetworkOpen
IQPorting_NetworkOpen: PDP %d is active
IQPorting_NetworkOpen: Async pending for PDP %d
IQPorting_NetworkOpen: Received reachability of 0, bailing
IQPorting_NetworkOpen: Not using WWAN for upload
IQPorting_NetworkOpen: could not get reachability
IQPorting_DNSLookup
IQPorting_NetworkClose
IQPorting_NetworkClose - cancelling DNS lookup
IQPorting_NetworkShutdown
IQPorting_SocketSecure is being called
IQPorting_SocketRead being called
IQPorting_SocketWrite is being called
/SourceCache/IQAgent/IQAgent-520/Source/SocketConnection.cpp
/var/mobile/Library/Preferences/com.apple.iqagent.plist
/SourceCache/IQAgent/IQAgent-520/MiG/Server/AWDServer.cpp
CIQ_AgentRequestForBackendWakeup
Shutting down IQ Agent
CIQAgentImplementation::Execute
Entering IQBackend_Execute
Completing IQ Agent shutdown
leaving IQBackend_Execute(%lu)
IQBackend_Initialize() failed, returning %08lx at %lu
//IQ
IQAgent: No Server Connection
libIQ start
ReceivedFromClient(CIQ_CMD_SUBMIT_METRIC): insufficient heap to receive metric, dropping %d bytes.
iq_submit_metric(%s) lock failed
iq_submit_metric(%s) profile changed
iq_submit_metric(%s) corrupted metric buffer
IQ_NOT_AGENT_DATA
IQ_SUCCESS
IQ_ERROR
IQ_CANNOT_INITIALIZE
IQ_NOT_INITIALIZED
IQ_INVALID_PARAM
IQ_OUT_OF_MEMORY
IQ_NO_REGISTRATIONS
IQ_NOT_PERMITTED
IQ_PORTING_IO_WOULDBLOCK
IQ_PORTING_IO_ASYNC_PENDING
IQ_PORTING_IO_BROKEN
IQ_PORTING_ERROR
IQ_PORTING_NOT_IMPLEMENTED
IQ_PORTING_INVALID_PARAM
IQ_PORTING_TIMEOUT
IQ_PORTING_OUT_OF_MEMORY
IQ_PORTING_SHUTDOWN_COMPLETE
IQ_PORTING_NET_UNKNOWN_ERROR
IQ_PORTING_NET_TIMEOUT
IQ_PORTING_NET_UNAVAILABLE
IQ_PORTING_NET_CONNECTION_REFUSED
IQ_PORTING_NET_UNKNOWN_HOST
IQ_PORTING_NET_HOST_UNREACHABLE
IQ_PORTING_NET_WOULD_BILL
IQ_PORTING_NET_UNSUPPORTED_PROPERTY
IQ_PORTING_NET_UNKNOWN_PROPERTY
IQ_PORTING_SOCKET_UNKNOWN_ERROR
IQ_PORTING_SOCKET_SECERR
IQ_PORTING_SOCKET_SECERR_UNREAD_DATA
IQ_PORTING_SOCKET_SECERR_HANDSHAKE
IQ_PORTING_SOCKET_SECERR_BADCERT
IQ_PORTING_SOCKET_SECERR_UNTRUSTED_CA
IQ_PORTING_SOCKET_SECERR_HOST_MISMATCH
IQ_PORTING_SOCKET_SECERR_IP_MISMATCH
IQ_PORTING_SOCKET_UNSUPPORTED_PROPERTY
IQ_PORTING_SOCKET_UNKNOWN_PROPERTY_VALUE
IQ_PORTING_FILE_UNKNOWN_ERROR
IQ_PORTING_FILE_EOF
IQ_PORTING_FILE_NO_SPACE
IQ_PORTING_FILE_BAD_NAME
IQ_PORTING_FILE_MAX_FILES_EXIST
IQ_PORTING_FILE_MAX_FILES_OPEN
IQ_PORTING_FILE_ALREADY_OPEN
IQ_PORTING_FILE_NO_FILE
IQ_PORTING_FILE_BAD_SEEK_POS
IQ_PORTING_FILE_FILE_EXISTS
IQ_PORTING_IOEVENT_WRITABLE
IQ_PORTING_IOEVENT_WRITE_COMPLETE
IQ_PORTING_IOEVENT_READABLE
IQ_PORTING_IOEVENT_READ_COMPLETE
IQ_PORTING_IOEVENT_ERROR
IQ_PORTING_IOEVENT_OPEN_COMPLETE
IQ_PORTING_IOEVENT_NETWORK_AVAILABILITY_CHANGED
IQ_PORTING_IOEVENT_NETWORK_OPENED
IQ_PORTING_IOEVENT_NETWORK_CLOSED
IQ_PORTING_IOEVENT_SOCKET_CONNECTED
IQ_PORTING_IOEVENT_SOCKET_SECURED
IQ_PORTING_IOEVENT_SOCKET_SERVER_CLOSED
IQ_PORTING_IOEVENT_SMS_SEND_COMPLETED
IQ_PORTING_IOEVENT_SMS_SEND_FAILED
CIQ-%lu
/tmp/com.apple.iqagent.server
16CIQAsyncTaskList
12CIQAsyncTask
24CIQTextMsgKeycodeHandler
24CIQLoggingKeycodeHandler
24CIQGeneralKeycodeHandler
19CIQKeycodeProcessor
N19CIQKeycodeProcessor21KeypressMetricHandlerE
N19CIQKeycodeProcessor15KeycodeUnlockerE
18CIQKeycodeCallback
IQ-3.2.10:4096
IQ Agent v3.2.10:4096 [08/30/11 03:54:31]
CIQCrasher::CrashMe(%ld)
CIQCrasher::CrashMe(%ld): %lu
10CIQCrasher
IQBridge::OpenComplete(%s)
IQBridge::Broken
8IQBridge
N8IQBridge13ProfileWriterE
N8IQBridge16TimeSynchronizerE
N8IQBridge6ReaderE
N8IQBridge16TimeSubscriptionE
N8IQBridge11SyncWatcherE
23CIQTouchscreenProcessor
N23CIQTouchscreenProcessor24TouchscreenMetricHandlerE
20IQ_SQATriggerService
CIQPROFIL
CIQProfileDatabase::set_profile: Id: %ld Name: %s
CIQProfileDatabase::set_profile(Default): Id: %ld
CIQProfileDatabase::LoadProfile: %s
CIQPRSTAT
LoadProfile CIQ_Dictionary_Construct() failed: %08lx
IQ_File::WriteAll failed (%ld)
IQ_File::ReadAll failed (%ld)
25IQ_SQAPackageAgentService
calling IQPorting_FileClose handle=%ld
returning IQPorting_FileClose status=0x%08lx
calling IQPorting_FileFlush handle=%ld
returning IQPorting_FileFlush status=0x%08lx
calling IQPorting_FileGetPosition handle=%ld
returning IQPorting_FileGetPosition status=0x%08lx, position=%ld
calling IQPorting_FileSetPosition handle=%ld, offset=%ld, origin=%ld
returning IQPorting_FileSetPosition status=0x%08lx
calling IQPorting_FileWrite handle=%ld, ptr=0x%08lx, len=%ld
returning IQPorting_FileWrite status=0x%08lx, len=%ld
calling IQPorting_FileRead handle=%ld, ptr=0x%08lx, len=%ld
returning IQPorting_FileRead status=0x%08lx, len=%ld
calling IQPorting_FileOpen filename=%s, cbFunc=0x%08lx, cbData=0x%08lx
returning IQPorting_FileOpen status=0x%08lx, handle=%ld
calling IQPorting_FileCreate filename=%s, cbFunc=0x%08lx, cbData=0x%08lx
returning IQPorting_FileCreate status=0x%08lx, handle=%ld
IQPorting_FileCreate() returned IQ_PORTING_FILE_MAX_FILES_EXIST
calling IQPorting_FileDelete filename=%s
returning IQPorting_FileDelete status=0x%08lx
calling IQPorting_FileRename oldName=%s, newName=%s
returning IQPorting_FileRename status=0x%08lx
calling IQPorting_FileEndListing cookie=0x%08lx
returning IQPorting_FileEndListing status=0x%08lx
calling IQPorting_FileGetNextFile maxNameLen=%ld
returning IQPorting_FileGetNextFile cookie=0x%08lx, filename=%s, status=0x%08lx
calling IQPorting_FileBeginListing
returning IQPorting_FileBeginListing newCookie=0x%08lx
calling IQPorting_FileShutdown
returning IQPorting_FileShutdown status=0x%08lx
calling IQPorting_FileInitialize
returning IQPorting_FileInitialize status=0x%08lx
17CIQTargetFileShim
CIQTIME
N14CIQTimeManager15PeriodicCheckerE
http://collector.sky.carrieriq.com:7001/collector/c?cm_sl=5
IQPorting_GetUploadWhitelist failed.
20CIQConnectionManager
N20CIQConnectionManager14KeycodeHandlerE
CIQCOOK
14CIQCookieStore
CIQ_PACKAGE_PUSH_ID: GetPackageAgentForID(%08lx) failed.
CIQ_PACKAGE_START_ID: IQPackageAgentFactory::StartPackage() failed.
Request to end CIQPackage(%08lx, %08lx) ignored
Calling CIQPackage(%08lx, %08lx)::Abort()
N22CIQPackageAgentFactory21RemotePackageListenerE
N22CIQPackageAgentFactory15PackageListenerE
CIQCallbackProcessor::ProcessCallbacks
20CIQCallbackProcessor
20CIQTargetTransaction
IQ00000
StoreProfile(%s) failed: CIQ_NEW(CIQFile) failed
StoreProfile(%s) failed: CIQFile::InitCheck(): %08lx
StoreProfile(%s) failed: CIQ_NEW(CIQLZWriter) failed
StoreProfile(%s) CIQLZWriter::InitCheck() failed
13IQ_SQAService
CIQASSERT
CIQDebugger::PassAllMetrics(%s)
11CIQDebugger
N11CIQDebugger7HandlerE
N11CIQDebugger6CmdNubE
N20IQ_SQAMetricReporter14KeycodeHandlerE
N20IQ_SQAMetricReporter7HandlerE
13CIQSubscriber
calling IQPorting_GetNetworkPropertyString: propId=%s, bufLen=%lu
returning IQPorting_GetNetworkPropertyString: status=%s, propValue=%s
callback for IQPorting_Network DNS: data=%ld, ip=0x%08lx, err=%s
calling IQPorting_GetNetworkPropertyInteger: propId=%lu
returning IQPorting_GetNetworkPropertyInteger: status=%s, propValue=%08lx
calling IQPorting_SelectNextNetwork
returning IQPorting_SelectNextNetwork: status=%s
calling IQPorting_SelectFirstNetwork
returning IQPorting_SelectFirstNetwork: status=%s
calling IQPorting_NetworkClose
returning IQPorting_NetworkClose: status=%s
IQPorting_DNSLookup(%s, 0x%08lx, %ld) %s in %ld ms
calling IQPorting_NetworkOpen: flags=%ld
returning IQPorting_NetworkOpen: status=%s
calling IQPorting_NetworkInitialize: cb=0x%08x, cbData=%ld
returning IQPorting_NetworkInitialize: status=%s, netState=%ld
callback for IQPorting_Network InitOpen: data=%ld, event=%s, param=%ld, err=%s
20CIQTargetNetworkShim
UNEXPECTED: Got IQ_PORTING_IOEVENT_NETWORK_OPENED event but no open request was pending
UNEXPECTED: Network state must be IQ_NETWORK_AVAILABLE upon a IQ_PORTING_IOEVENT_NETWORK_OPENED event
UNEXPECTED: Got IQ_PORTING_IOEVENT_NETWORK_CLOSED event but no close request was pending
CIQ_VM_ExecuteToken() failed: %08lx
9IQNetwork
N9IQNetwork13NetworkCloserE
N15IQ_SQAScheduler19SchedulerSubscriberE
CIQ_VM_ExecuteToken: Unrecognised token = 0x
ExecuteFilter(%s): CIQ_VM_ExecuteToken(filter_xt) failed: %08lx
15CIQPackageAgent
N15CIQPackageAgent18EndTriggerListenerE
N15CIQPackageAgent5TimerE
N15CIQPackageAgent7CounterE
N15CIQPackageAgent9CollectorE
15CIQStreamReader
15CIQStreamWriter
13CIQStreamTask
19CIQPacketSerializer
N19CIQPacketSerializer12PacketStreamE
17CIQByteStreamBase
25CIQAutonomousStreamReader
23CIQBufferedStreamWriter
N23CIQBufferedStreamWriter6WriterE
CIQPackage(%08lx) %08lx timed out while waiting on slave.
10CIQPackage
N10CIQPackage26TransferCompleteSubscriberE
CIQSerialPort::callback(%s) %08lx
13CIQSerialPort
N13CIQSerialPort18SerialPortCallbackE
N13CIQSerialPort8InStreamE
N13CIQSerialPort9OutStreamE
13CIQAsyncMutex
17CIQPackageSegment
18IQ_SQATimerTrigger
19IQ_SQAMetricTrigger
N19IQ_SQAMetricTrigger7HandlerE
IQUR+RF %lu
IQUR+RS %lu
IQUR+CU: to=%lu, ur=%lu, %s
IQUR+CU: to=%lu, ur=%lu
IQUR+SP: url=%s
24IQPersistedUploadRequest
ciq_bill
32CIQHTTPUploadTransactionProvider
N32CIQHTTPUploadTransactionProvider17NetworkSubscriberE
20CIQStreamMultiplexor
N20CIQStreamMultiplexor7ChannelE
CIQPacketReader::DoRead(): packet overflow, dropping data
15CIQPacketWriter
N15CIQPacketWriter6StreamE
15CIQPacketReader
N15CIQPacketReader6StreamE
19CIQPackageContainer
N19CIQPackageContainer10ReadStreamE
N19CIQPackageContainer11WriteStreamE
7CIQFile
N7CIQFile10ReadStreamE
N7CIQFile11WriteStreamE
11CIQLZWriter
12CIQAggregate
N12CIQAggregate7HandlerE
15IQ_SQAHistogram
21CIQStateMachineWriter
22IQ_SQAProfileDecoderCB
application/vnd.carrieriq.sqpota
13CIQUploadHttp
23IQ_SQAImageBufferStream
16IQ_SQANullStream
20CIQUploadTransaction
X-CIQ-GPS-MILLIS
9CIQSocket
calling IQPorting_SocketClose
returning IQPorting_SocketClose: status=%s
calling IQPorting_SocketWrite: sock=%ld, ioBuf=0x%08lx, len=%ld
returning IQPorting_SocketWrite: status=%s, len=%ld
calling IQPorting_SocketRead: sock=%ld, ioBuf=0x%08lx, len=%ld
returning IQPorting_SocketRead: status=%s, len=%ld
calling IQPorting_SocketSecure: sock=%ld, host=%s, ip=0x%08lx
returning IQPorting_SocketSecure: status=%s
calling IQPorting_GetSocketPropertyInteger: sockId=0x%08lx propId=%lu
returning IQPorting_GetSocketPropertyInteger: status=%s, propValue=%08lx
calling IQPorting_SocketOpenConnect_1: ip=0x%08lx, port=%ld, sslHost=%s, sslIp=0x%08lx
calling IQPorting_SocketOpenConnect_2: cb=0x%08lx, cbData=%ld, flags=%ld
returning IQPorting_SocketOpenConnect: status=%s, sock=%ld
socketCB IQPorting_Socket: cbData=%ld, event=%s, param=%ld, err=%s
19CIQTargetSocketShim