Google Has Android Remote App Install Power, Too 278
Posted
by
timothy
from the coming-and-going dept.
from the coming-and-going dept.
Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"
Re:They also removed the restraining bold from C3P (Score:2, Informative)
Re:Drive-by installing (Score:2, Informative)
Re:Good thing that wasn't Apple (Score:5, Informative)
Any moment now, people will start saying that Google is the New Apple, which is the New Microsoft, which is the New...what? Commodore?
IBM, grasshopper, Microsoft used to be the new IBM. Learn your history!
Re:Drive-by installing (Score:5, Informative)
You're just flat wrong. WPA isn't compromised in any way even remotely as badly as WEP was/is.
WPA:TKIP can, in certain cases with certain AP's allow one to inject packets into the network. Packets won't come back to the attacker.
Perhaps one can use that as a way to leverage some additional resources to attack a network. Certainly, I wouldn't feel good with someone being able to inject packets - but it's not a game-over exploit like WEP was.
WPA-AES: There's simply no known attack against the cypher. You might be able to brute-force the key - but that's an issue of any shared-secret system - it doesn't have anything to do with the crypto in WPA:AES. The solution is to use a large key-space (all ascii characters, not just uppercase alpha's for example.) and long-ish. 10 chars or more. Bonus points for more random and less guessable secrets.
So, IMO, to claim "...it's not that much more secure than WEP was when it was introduced." is really a massive overstatement due to ignorance, at best or just plain falsehoods at worst.
Re:Isn't Android Open Source? (Score:4, Informative)
Re:kinda scary (Score:5, Informative)
I am working one it. Just one more line of code, almost there.
I like to lick butts!
Re:Really Really Really? No. (Score:5, Informative)
Well the process would be just as hard on Android but he isn't running Android.
His phone has an officially supported root mode. The root mode isn't killed by updates. It doesn't stop the updates from working. Nor does it prevent you using any applications you could use before like the app store. It doesn't void your warranty. It doesn't require a re-flash.
So no, the process of getting root for you wasn't as easy for you as it was for the GP.
Re:Really Really Really? No. (Score:1, Informative)
Connectivity:
GSM+GPRS+EDGE+UMTS+3G+WCDMA+HSPA at 850/900/1700/1800/1900/2100
So yes it supports all of those networks
Re:Really Really Really? No. (Score:5, Informative)
Seriously, this is a worthwhile point. Maemo (OS on the N900) *IS* Linux, not a fancy face on top of it that takes away your control. The default user is not root, but you can become root. The package manager software is setuid root, but you can fix that if you want to make it impossible to install apps without entering a password.
Re:No (Score:3, Informative)
Re:kinda scary (Score:5, Informative)
@MikeDaSpike
This is not twitter. We can tell that you are replying to MikeDaSpike because you pressed the Reply to This button under his post and so your post shows up in the thread below his.
Re:Isn't Android Open Source? (Score:4, Informative)
Pretty much only the kernel is open source and not the other parts.
This is incorrect. Most of android is in AOSP, including the kernel, dalvik, UI, launcher, dialer, all the libs etc. You can build a fully working system from the open source components (that's how cyanogenmod is built).
Only the google-specific applications (Maps, gmail, gtalk, google market, facebook, google voice ) are not open source. Many of them can be replaced with alternatives if one wants to release a system without paying to google: e.g. SlideMe market, one of many different e-mail/gps apps, etc.
You can check the AOSP contents here [kernel.org].