The analysis also sheds light on the behind-the-scenes interrelationships between software vendors, handset makers, and carriers when it comes to securing and managing smartphones.
The Carrier IQ smartphone application is designed to accept specific bits of information, dubbed metrics, from the OS. Also loaded on the phone is a carrier-determined "profile," written by Carrier IQ: the profile identifies for the application what subset of those metrics the carrier is interested in. An event or change of state triggers a metric sent to Carrier IQ from the operating system. "On receiving a submitted metric, CIQ evaluates whether that metric is 'interesting' based on the current profile installed on the device," Rosenberg writes. "Profiles dictate whether or not a piece of information is relevant for assessing a particular aspect of phone service, such as reception or battery usage.
"Note that the CarrierIQ application simply receives these metrics, collects them, and eventually uploads them to be analyzed by carriers [using the CIQ server application]," Roseberg notes. "All of the code responsible for determining which metrics are submitted to CIQ for processing is integrated into the phone's application stack by the handset manufacturers themselves."
Bace says, "The engineers at CIQ are extremely well versed in the internals of cellphones; they are similarly well versed in how cellular networks are managed. They started with some innovative ideas of how to manage the integration of both ends of the system more intelligently and have won market share because they delivered on those ideas. I can attest to the fact that none of those ideas have anything to do with monitoring users...."
That original focus on traditional Quality of Service measures has been extended with new functions focused on how users interact with their cellphones, or Quality of Experience measures, as part of how cell carriers judge the success of their offerings, Bace says.
This is born out by the 12 CIQ metrics Rosenberg found on the Samsung Epic 4G Touch smartphone, running Android. "In this analysis, I enumerated every CarrierIQ-related hook integrated into the Android framework and examined what metrics can possibly be collected, and just as importantly, in what situations," Roseberg writes. "This list does not include metrics that may be submitted by the baseband, which include additional radio and telephony information."
In his blogpost, a table lists the metric ID, the metric itself, the data sent, and the "situation" that triggers the metric:
* browser page render event
* location event, which can use GPS or other location data