I get the sense that this tool is functioning as a trace tool, recording all events, just like a tracing is used in application development. However, production apps should have all this tracing turned off (not all do).
So it is tracing all events on the handset, like it is designed to do. Keystrokes are an event, so they get captured too. However, it doesn't mean that all this trace information is being transmitted to the mothership. They may be picking up only certain trace records to send.
This is still wrong. If that information is being logged locally for any duration, then it is just a matter of time before malware finds it and starts to steal it.
I think this is just a case of incompetence, not malice. But their incompetence has left the door open for bad guys to do bad things.
Discussion on:
Message 12 of 1
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
