Hacker News new | ask | show | jobs
by diiidn 665 days ago
Okay let's say the app can be enabled remotely by someone other than the user of the phone.

What next? Have you looked at the app? What can actually be done with it? Please explain the exact steps an attacker would take next, with evidence.
2 comments
throwaway290 664 days ago
This thing being there is evidence something somewhere went super wrong and now the entire system cannot be trusted by default.

Ask: was it put there intentionally? If yes, why? If it is there by mistake, and no one at google noticed it there, then how many other (actually properly hidden and actually exploitable) backdoors did they miss in their phone?

link
strcat 665 days ago
The Verizon retail demo mode doesn't become active if the package is enabled and regardless they haven't actually demonstrated enabling any of the Verizon apps on Pixels through the Play Store. Enabling the retail demo app doesn't add any remote attack surface.

Verizon's Android apps are additional attack surface for Verizon Android users on any Android device with proper support for Verizon. The retail demo app has yet to be shown to add any relevant attack surface. Despite that, there's a massive amount of news coverage portraying it as if this was accidentally included (it wasn't) or included for no explicable reason (it used to be used by Verizon for demos in their stores). The other apps in the suite are used as part of providing useful Verizon features because they refuse to do things in a standard way.

GrapheneOS has never included these so it's missing features on Verizon including Wi-Fi calling which work with any normal carrier such as T-Mobile. We're previously analyzed the apps and have repeatedly written about them and our privacy/security concerns. The retail demo app isn't part of what's concerning from our perspective.

iVerify, etc. talk about iOS not including carrier apps but it has included a lot of similar functionality for carriers. They're portraying it as Google not having access to the code and not knowing what the apps do which is at least to us is a strange thing to assume. There are many things wrong with the overall claims. The motivation to promote their product by portraying it as finding this is clear, but they clearly shouldn't get credit for that and we've demonstrated that in our thread. We can provide further examples beyond the thread and commit we linked. This section talks about the carrier apps and is not new or modified recently:

https://grapheneos.org/features#broad-carrier-support

We have a lot of past threads on Twitter about it. A lot is on our pre-2018 Twitter account which got stolen from the GrapheneOS project.

link