[jcfrei]

Right, so in the scenario I mentioned, an update to a Google application would give this application more access to the kernel (through some backdoor) and enable it to intercept the communication of other apps. I'm asking whether this is possible or not - assuming the kernel itself cannot be modified. If that's the case then parts of the android kernel or the way android handles access to microphones, etc. might need to be hardened in the future.

[md_]

The Android security model doesn't work that way. Non-system applications can't access the kernel, minus a local EOP or something like that.

Is that your concern? And if so, why are you concerned specifically about Google apps? Any malicious app can exploit a local EOP.

[matharmin]

Google Apps are typically installed as system apps. Play Store is obvious, since it needs to be able to install/update applications without prompting. The need for other apps (e.g. Gmail) to need system-level permissions is less obvious, but most of them fail to run if you just sideload it without the permissions.

[md_]

Huh? What permissions are you referring to that the Gmail app has?

Also, if I remember right (and I'm not an Android expert, so grain of salt here), Android OS itself enforces sandboxing based on app signing keys; even the Play app can't overwrite the Signal binary without a binary signed by the same key (though conceivably it could install some other fake-Signal app that looks just like Signal and has a similar icon--but that app would not have access to your private key!).

[crowbahr]

While you are correct about the enforcement applying to Google Apps the Google Play Services has all possible permissions. I don't know if they could do something with the kernel from that alone though.

Personally I trust Android as much as I'd trust iOS... Which is to say I expect the government can get at either with physical access but only at the highest levels of government (CIA/NSA/FBI).

[md_]

True. But Play Services is effectively a part of the OS (from Google's perspective).

As you say, in both cases (iOS and Play Services) it's a commercial closed-source bundle. shrug

I don't personally spend time worrying about that, given that Google and Apple's code is probably better reviewed than some random open source app, but some people like to nerd out about such things.

As you say, the FBI was eventually able to get access to the San Bernardino shooter's phone. But this isn't exclusive to the highest levels of government; it just depends on your budget: http://www.reuters.com/article/us-apple-encryption-fbi-idUSK.... It's not surprising the CIA would have a stockpile of unpatched 0days, found or bought.

I don't believe I'm worth $1m to anyone, so I feel pretty safe using both iOS and a recent, patched Android.

[crowbahr]

Totally agree with you. I like my Nexus 5x a lot. I figure that usually it's the highest levels of government who are actually willing to pay a sum like that though. I doubt the local PD is willing to dedicate 1mil to cracking a phone if you get arrested for possession of a controlled substance or something.

And it's kinda an unspoken goal of mine to, ya know, not end up on a CIA watch list. Now I know some of the concern goes around controlling so the Government doesn't get out of control but I think that we would expect a government's worth of resources able to do something as trivial as cracking a commercial phone.

[jcfrei]

> Huh? What permissions are you referring to that the Gmail app has?

Maybe he was referring to these privileged permissions: http://android.stackexchange.com/a/17874/104563

[md_]

I don't think that confers any ability to bypass the sandbox. Again, not an Android expert, so happy to be shown I'm wrong.

[jcfrei]

Yes, that is my concern. You mention system applications - I believe this excludes any application which can be installed (with an app store or apk)? What is a local EOP? I couldn't find any info on this abbreviation. I used Google as an example.

[md_]

EOP = Elevation Of Privilege. e.g. a local->root exploit.

To expand, this would be some vulnerability which allows a non-privileged local app (like Gmail) to execute code at a higher security level.

The focus on Google apps specifically here is misleading. In the Android (and iOS) security model, apps are sandboxed, and cannot generally inject code into other apps (in contrast to most desktop OSes, where all processes running as "you" can sort of do what they want to each other).

The threats that apply on Android or iOS are, roughly speaking:

1. You grant an app more permission than it should have (e.g. microphone or keyboard input)

2. Local EOP plus installing a malicious nonprivileged app (or a remote code execution vuln) such that someone can get root on the device and inject code into Signal (or whatever)

3. A backdoor in the OS or app you are using

Android and iOS both have vulnerabilities in the wild. Older Androids are riddled with them, and the Android ecosystem is shit for getting updates out. If you're not using a Nexus or Pixel or a device from a reputable OEM (supposedly Samsung takes patches seriously, but I don't pay attention to this), you're probably easily exploited.

That's all the news that's here, AFAICT. The focus on encrypted messaging apps is on the one hand silly and on the othe rprobably necessary. Everyone in the security world knows that the easiest way to beat end-to-end encryption is to compromise the endpoint. But everyone in the wider world thinks that if they use Telegram they're secure, even if they're using an unpatched Samsung from 2011.