Ancestors

Toot

Written by Lily Hay Newman on 2024-08-15 at 13:34

An old Verizon demo app lurking deep in stock Android creates exposure for almost all Pixel phones. A fix from Google is coming but hasn't been pushed yet. And Palantir says it is concerned enough about the situation to ban all corporate Android devices https://www.wired.com/story/google-android-pixel-showcase-vulnerability/

=> More informations about this toot | More toots from lhn@mastodon.online

Descendants

Written by Neil Craig on 2024-08-15 at 14:36

@lhn I had a security update on my Pixel (6) this morning and I don't see "showcase" in my app listing (even when showing "system" apps) - unsure if this means it's been removed.

Also worth noting:

"while Showcase represents a concerning exposure for Pixel devices, it is turned off by default"

which probably limits the impact at least for a while.

Quite happy my Pixel 9 will arrive next week though!

=> More informations about this toot | More toots from tdp_org@mastodon.social

Written by Chance 'Um on 2024-08-15 at 14:37

@lhn The appeal of pixel phones was that they were generally clean of this kind of app. Of course it was a telecom app that did this; the customer service of those companies was a tell.

=> More informations about this toot | More toots from tsrams@c.im

Written by Barley Blair on 2024-08-15 at 14:46

@lhn this is so embarrassing for Google. Imagine letting a Verizon app get low level access to every device, with remote server calls via HTTP that allow code execution. Awful decision.

=> More informations about this toot | More toots from blairbarley@mastodon.social

Written by Robbie Coleman :verified: on 2024-08-15 at 14:47

@lhn

The details make all of this so much worse. Ughhh.

=> More informations about this toot | More toots from erraggy@hachyderm.io

Written by Mr. Shark on 2024-08-15 at 15:58

• laughs in GrapheneOS*

=> More informations about this toot | More toots from belohai@tech.lgbt

Written by Tavi on 2024-08-15 at 16:05

@lhn

My #DivestOS has had it removed since October 20th 2020: https://codeberg.org/divested-mobile/divestos-build/commit/0958df7de#diff-4badf0fd699f299cce6d6453ceff89904dd4ba0a

@GrapheneOS has had it removed since at least November 7th 2021: https://github.com/GrapheneOS/adevtool/commit/9c5ac945f#diff-95eb7b50f2781158146e721436d7c5d6f7421755906307a6b7a1f727bb20d53eR109

=> More informations about this toot | More toots from divested@infosec.exchange

Written by GrapheneOS on 2024-08-15 at 17:23

@divested @lhn

1. This app has never been included in GrapheneOS.

2. Please focus on this part of the article invalidating all of the fearmongering:

"This means that an attacker would first need to turn the application on in a target's device before being able to exploit it. The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings."

=> More informations about this toot | More toots from GrapheneOS@grapheneos.social

Written by GrapheneOS on 2024-08-15 at 17:28

@divested @lhn

This is a Verizon demo app included in the stock Pixel OS which doesn't run without being explicitly set up. A user would need to unlock the device, enable developer options (requires lock method), enable ADB, plug the phone into a computer, authorize ADB access and set up the application to run. An attacker would then need to find a vulnerability to exploit the fact that it fetches a configuration file over HTTP and then exploit the OS from the access they gain from there.

=> More informations about this toot | More toots from GrapheneOS@grapheneos.social

Written by GrapheneOS on 2024-08-15 at 17:30

@divested @lhn

Why did Wired write a long article about this promoting Palantir and iVerify by making a massive deal out of something they say requires an attacker to have physical access to the device and the lock method? If they have that, they already have control over the device and can simply install whatever apps they want and grant them any available permissions. They can extract nearly all the data via the backup system. It's not surprising it was treated as barely being a real issue.

=> More informations about this toot | More toots from GrapheneOS@grapheneos.social

Written by Anonax on 2024-08-15 at 18:44

@divested @lhn @.GrapheneOS@grapheneos.social Also seems to be good with @calyxos, although since I don't do any development with it I can't tell for certain. It doesn't show up with pm list packages -u though.

=> More informations about this toot | More toots from anonax@defcon.social

Written by @infosec_jcp 🐈🃏 done differently on 2024-08-15 at 17:11

@lhn

Anyone do a #VirusTotal on that app? 📱🔍🧐

https://infosec.exchange/@Techmeme@techhub.social/112966201849301682

=> More informations about this toot | More toots from infosec_jcp@infosec.exchange

Written by Tom on 2024-08-15 at 17:22

@lhn Maybe a dumb question, but it's important enough to ask anyway - this app is only on phones from Verizon, right? They didn't somehow sneak it into Android as a whole?

=> More informations about this toot | More toots from tjk@oldbytes.space

Written by Jens Zalzala on 2024-08-15 at 17:56

@lhn Huh, I worked on the Verizon Pixel 2 demo app... Pretty sure we didn't build in any back doors, but I also can't think of any reason why it would be included on newer Pixel phones 😝

=> More informations about this toot | More toots from anakin78z@mograph.social

Written by aerique on 2024-08-15 at 19:29

@lhn Just use @GrapheneOS already, people!

Preferably degoogled so we can get some regulation on things that do not work there.

=> More informations about this toot | More toots from aerique@genart.social