[antoncohen]

I noticed that my Droid 4 running 4.1.2 was opening an XMPP connection to Motorola servers a month ago. I was watching the logs trying to diagnose another problem, and the XMPP connection happened to be failing at the time. The XMPP connection is no longer failing.

    D/CheckinProvider(  507): insertEvents Process tag not allowed: XMPPConnection
    I/XMPPConnection(  772): Preparing to connect user XXXXXXXXXXX to service:
        jabber1.cloud2.sdc100.blurdev.com on host: jabber-cloud2-sdc100.blurdev.com and port: 5222
    E/PacketReader(  772): 	at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
    D/CheckinProvider(  507): insertEvents Process tag not allowed: XMPPConnection
    I/XMPPConnection(  772): Shutting down connection for user XXXXXXXXXXX to host jabber-cloud2-sdc100.blurdev.com
    W/System.err(  772): 	at org.jivesoftware.smack.PacketReader.parseXMPPPacket(PacketReader.java:503)
    E/XMPPConnectionManager(  772): Failed to connect user 'XXXXXXXXXXX' to host 
        'jabber-cloud2-sdc100.blurdev.com on port 5222: Connection failed. No response from server.:

[inoop]

XMPPConnection and PacketReader are parts of the Smack XMPP library. If you're the curious type, you can adb into your phone and do a `ps` to correlate the PID that's generating these messages (772 here) with an apk. Then you can dump that apk and disassemble/decompile it (i.e. using apktool, dex2jar, and your favorite Java decompiler).

[inoop]

I was bored so I downloaded the stock gingerbread image of the X2 and poked around the system a bit. It seems that the bulk of the code is in blur-services.apk.

Manifest: http://pastie.org/pastes/8102815/text strings.xml: http://pastie.org/pastes/8102837/text

I also found a bunch of apks that look like 'plugins', haven't really looked at them, but should provide a clue to what they're snooping

    blur_myspace.apk
    blur_linkedin.apk
    blur_picasa.apk
    blur_orkut.apk
    blur_lastfm.apk
    blur_flickr.apk
    blur_youtube.apk
    blur_activesync.apk
    blur_email.apk
    blur_twitter.apk
    blur_skyrock.apk
    blur_facebook.apk
    blur_photobucket.apk
    blur_yahoo.apk

edit: from looking at some of the code, it seems that all this stuff is mostly to provide social networking integration for MotoBlur, and probably not to steal your data. Although personally I'd be flashing Cyanogenmod pretty quickly :3

[qwerty_asdf]

  > it seems that all this stuff is mostly 
  > to provide social networking integration for MotoBlur

I'm not sure why you'd give them the benefit of the doubt. There's no way they built apps in 20 different flavors that consume ALL network traffic and redirect it to their servers, simply as an accidental rookie mistake.

I don't feel like buying into the idea that it was all consultants hired on short term by motorola, in a mad scramble to create an android platform and compete with the iPhone, working under a temporary contract with no accountability.

I don't even want to buy into the idea that maybe there was a large team of disinterested 9 to 5 corporate drones, with a middle manager who was a real dick with a middling paycheck as a mediocre incentive to produce high-quality work, who inspired nothing but apathy in his subordinates, and was too lazy, and too interested in fantasy football, to check their work for network security practices.

Capture ALLLL the traffic, and don't encrypt it? As an innocent mistake?

No way. I can't put the blinders on, here.

[benedikt]

What logs were this?

[antoncohen]

logcat: https://developer.android.com/tools/help/logcat.html

apk to view them: https://play.google.com/store/apps/details?id=com.nolanlawso...

[Encosia]

Looks like it's from logcat.