Carrier IQ, the carrier-sanctioned keylogger and activity monitor that has been confirmed to exist on Android devices, on AT&T and Sprint networks, has been found in iOS. In our post yesterday, we wrongly assumed that Carrier IQ was something that carriers added to smartphones — but now it’s clear that Apple bakes Carrier IQ into its closed-source iOS for use by carriers.

At this point it isn’t clear if Carrier IQ is snooping on your everyday iPhone use. It sounds like it’s only active when “Diagnostics & Usage” is turned on, and that should only be enabled if you clicked “Submit Logs to Apple” during the iOS 5 setup process. There’s also no proof that this data is actually transmitted across the internet to Carrier IQ servers — but to be honest, if Apple has gone to the trouble of installing multiple third-party daemons on its infallible fondleslab, it’s fairly safe to assume that it’s being used.

In other news, Nokia has confirmed that none of its devices have ever used Carrier IQ, and Verizon has also gone on the record to say that it doesn’t use the software. Google, too, has confirmed that none of its flagship Nexus devices (or the Xoom tablet) have Carrier IQ installed. As we reported yesterday, CyanogenMod is safe as well. Over on The Verge, someone who appears to be an employee of RIM says that RIM has never used, or allowed, Carrier IQ to be installed on its BlackBerry devices.

There are also very few reports of Carrier IQ being found on European phones, from carriers like Vodafone, Three, and Orange. For now, it seems like CIQ is mostly contained to AT&T and Sprint devices in the US.

How to detect and remove Carrier IQ

If you’re using an Android phone or tablet, install Trevor Eckhart’s Logging Test App from XDA-Developers (version 7 at the time of publishing; scroll all the way down). Unfortunately, as this is an off-market app (an APK installer), you will need to push it to your device manually. The easiest way to do this is to email the APK to yourself, then download the attachment on your phone. If that doesn’t work, you need to install the Android SDK and use ADB. Your phone needs to be rooted, too (yes, carriers do not make this easy — to root your phone, Google “how to root PHONE_MODEL_HERE_”).

Hit “CIQ Checks” (see right) and the app will tell you if it’s installed. Pay $1 and the app will try to remove it for you (this doesn’t always work, though). Sadly, there doesn’t seem to be any other way to disable CIQ on Android devices. Carriers like AT&T and Sprint will almost certainly provide some kind of workaround in the next few days, though; the clamoring crowd is impossible to ignore at this point.

If you’re using an iPhone or iPad, head into Settings > General > About > Diagnostics & Usage, and click “Don’t Send.”

Update: This route is only available if you’re using iOS 5. If you’re stuck using iOS 3 or 4, and you have a jailbroken device, you can follow Chpwn’s instructions to disable CIQ.

Preventative measures

Ultimately, the safest solution is use a phone that doesn’t have Carrier IQ installed, and a carrier that has resisted the sweet temptation of keylogged telematics. If you currently use an infected Android phone on AT&T, switch to the Galaxy Nexus on Verizon. If your contract isn’t up yet, install CyanogenMod on your phone.

If you’re stuck with your iPhone, either pray that disabling Diagnostics & Usage is enough, or perhaps switch to Windows Phone 7 — so far, it seems like Microsoft’s nippy, tile-based wonder might be the only smartphone OS without Carrier IQ installed.

We will update this post as specific device/carrier combinations with Carrier IQ are discovered — it’s still early days, however!

Update @ 10:50 ET: A commenter points out that Carrier IQ can be found on his UK iPhone — so it’s not just the US-localized version of iOS that has it installed.