Ben Lincoln, a security engineer, claims that there are various Motorola smartphones that are sending sensitive user data back to the company mostly over an unencrypted HTTP channel. He claims to have discovered that the smartphones send back user names, passwords, email addresses, GPS data from photos taken through the camera apart from other sensitive user information. Lincoln says that he made this discovery last month on a Motorola Droid X2 that he was using at that time.
Apparently email addresses for both Facebook and Twitter are sent to Motorola, the passwords are also sent albeit over HTTPS, which makes it relatively harder to be intercepted mid-way. Similar behavior has been noted with Photobucket, Picasa, YouTube, Exchange ActiveSync, IMAP/POP3 email, Yahoo Mail, and Flickr. Under information that is “definitely being collected,” the device’s IMEI and IMSI, phone number and carrier information, phone call and text message statistics, email addresses and usernames configured on the device, apps included with the device or installed by the user and a lot more are listed. All of the technical details as well as list of Motorola devices that do this have been posted by Lincoln to back up these claims on his blog.