Ancestors

Written by Lily Hay Newman on 2024-08-15 at 13:34

An old Verizon demo app lurking deep in stock Android creates exposure for almost all Pixel phones. A fix from Google is coming but hasn't been pushed yet. And Palantir says it is concerned enough about the situation to ban all corporate Android devices https://www.wired.com/story/google-android-pixel-showcase-vulnerability/

=> More informations about this toot | More toots from lhn@mastodon.online

Written by Tavi on 2024-08-15 at 16:05

@lhn

My #DivestOS has had it removed since October 20th 2020: https://codeberg.org/divested-mobile/divestos-build/commit/0958df7de#diff-4badf0fd699f299cce6d6453ceff89904dd4ba0a

@GrapheneOS has had it removed since at least November 7th 2021: https://github.com/GrapheneOS/adevtool/commit/9c5ac945f#diff-95eb7b50f2781158146e721436d7c5d6f7421755906307a6b7a1f727bb20d53eR109

=> More informations about this toot | More toots from divested@infosec.exchange

Toot

Written by GrapheneOS on 2024-08-15 at 17:23

@divested @lhn

1. This app has never been included in GrapheneOS.

2. Please focus on this part of the article invalidating all of the fearmongering:

"This means that an attacker would first need to turn the application on in a target's device before being able to exploit it. The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings."

=> More informations about this toot | More toots from GrapheneOS@grapheneos.social

Descendants

Written by GrapheneOS on 2024-08-15 at 17:28

@divested @lhn

This is a Verizon demo app included in the stock Pixel OS which doesn't run without being explicitly set up. A user would need to unlock the device, enable developer options (requires lock method), enable ADB, plug the phone into a computer, authorize ADB access and set up the application to run. An attacker would then need to find a vulnerability to exploit the fact that it fetches a configuration file over HTTP and then exploit the OS from the access they gain from there.

=> More informations about this toot | More toots from GrapheneOS@grapheneos.social

Written by GrapheneOS on 2024-08-15 at 17:30

@divested @lhn

Why did Wired write a long article about this promoting Palantir and iVerify by making a massive deal out of something they say requires an attacker to have physical access to the device and the lock method? If they have that, they already have control over the device and can simply install whatever apps they want and grant them any available permissions. They can extract nearly all the data via the backup system. It's not surprising it was treated as barely being a real issue.

=> More informations about this toot | More toots from GrapheneOS@grapheneos.social