Google Has Android Remote App Install Power, Too 278
Posted
by
timothy
from the coming-and-going dept.
from the coming-and-going dept.
Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"
Really? (Score:5, Interesting)
You mean they can remotely install apps over the air just like every other modern phone on every other carrier I've ever seen?
This is a non-story -- OTA install is pretty much required by every carrier out there so they can force you to upgrade your phone.
Re:Really? (Score:3, Interesting)
Intelligentia (Score:1, Interesting)
I think the name is what's most interesting -- INSTALL_ASSET - that has a distinctly govt feel to it. Gotta wonder.
Re:Really? (Score:2, Interesting)
A new OS version or patch, sure. An app, not so much. My Android phones doesn't OTA update without prompting me and me approving it. The meat of the article, in my understanding, is that they have a function that will automagically install or remove an app without user interaction. Is that not correct?
As far as I can tell, Yes. One instance I could see/understand is for this is Google provided programs that are included with the phone (Maps, Gmail, Browser, ext) being forced to a newer version.
Re:Really? (Score:5, Interesting)
Actually, according to a talk by Rich Cannings, Google's "Android Security Leader", at Usenix Security '09 in Montreal, Google can choose whether or not to have your phone ask you for permission for an OS upgrade. If they think it's important enough, they reserve the "right", and definitely retain the technical capability, to install an upgrade without asking. The carriers can probably also do OTA upgrades on their own initiative; that part wasn't clear to me.
The whole tone of his talk was scary. There was no sign that he could imagine that somebody might not want to trust Google with total control of their phone, or that such distrust could possibly be legitimate if it did exist. His whole attitude reeked of "we know better than you do", and he seemed to think of the phone's owner more as a security threat than as the person who should be setting security policy. And he didn't even mention the possibility that Google might get compromised.
He also seemed to think of the Android open source project as something to push code to as an afterthought, rather less important than the carriers... whose interests he seemed to think were terribly, terribly important.
It was not reassuring.
And, yes, my understanding matches yours. The article says that they can also install apps, in addition to OTA OS upgrades. In fact, as I read the supporting material, the Market application works by pushing an "INSTALL_ASSET" message to your phone... the same message they'd use to spontaneously install an app. So there's no fixing the problem without either disabling the Market entirely or patching the implementing code.
And of course an OS upgrade could contain code to do anything they want, including enabling them to install apps if they weren't already able to do so.
Re:Really? (Score:2, Interesting)
my old blackberry had a similar feature; which was often exploited by verizon wireless to push icons for new apps and services to my phone without my permission and there was nothing i could do about it...
Re:No (Score:4, Interesting)
Such flaws are why professional developers do not put in random features that can be exploited. Sure it might be fun toi say that our application has a thousand more features than the competition, but to those that are savvy it is just a thousand more way to be put at risk.
Re:Really? (Score:3, Interesting)
Lets face it, the only secure computer is one in a perfectly secure vault, powered off and has the only person know where the vault is killed.
Isn't Android Open Source? (Score:5, Interesting)
Re:No (Score:2, Interesting)
My suggestion is that you rely on a land line phone then (were I that worried over it I would go with a vintage rotary phone too - no computer to futz with). All cell phones I know of can add or remove features without your permission. Some may choose not to do so, some may regularly do it, but they all do. Even worse an iPhone, Blackberry, or an Android are *not* phones, they are handheld computers that just so happen to have a cellular device attached to them. You LG flip phone that has no apps other than what is on the rom is fairly stable, your smart phone is a computer and has all the issues associated with a general purpose computer along with the access that the carriers have always wanted but could never demand before. Some are claiming an N900 can't have this happen but before I made that statement I would want some independent party to verify, not just the assumption it can't from what I have seen. The competition that the /. crowd is mostly looking at (the iPhone) is just as bad with respect to ability to do things but hasn't decided to do so (yet) - the Blackberrys fall into the same boat.
Pretty much every carrier out there has these abilities, they do so for a number of reasons (few of them are for your benefit though) and that isn't going to change. Indeed, even just the plain cell phone will generally have features they can remotely turn off and on. The iPhone (and IIRC the new 2.2 androids) can be remotely bricked (sold to us a security feature). I have not seen Google do anything that would particularly make them untrustworthy compared to everyone else - indeed I find them better than most (at least they are upfront about the things I do not like instead of lying to me or trying to convince me that raping me is a Good Thing). That is, of course, a kinda loaded statement as I have little trust for any one else - but since I have no choice but to play in that world they are as good as any of the better ones out there. I treat my phone access like any other non-secure communication - I assume anyone and everyone can see it. For secure access I assume most people can see it.
Plus as the GP says - if the SSL cert is broken then the ability to remote install apps on your phone is the least of our worries. Most phones can be bricked remotely not to mention all the secure sites that rely on x.509 certificates.
Re:Really? (Score:3, Interesting)
There was no sign that he could imagine that somebody might not want to trust Google with total control of their phone,
There's no such thing as trusting them with partial control of your phone because if they can push anything to your phone they can probably root it. So either install your own distribution of Android (perhaps CM) and disable this functionality or accept that others will be helping you manage your phone.
verizon does this to my blackberry (Score:4, Interesting)
one day you look at your phone: hey, there's a bing icon
couple of months later: look at that, a skype icon
it's vaguely unsettling, to be reminded of how raped you are in terms of privacy
Re:kinda scary (Score:3, Interesting)
Meh, they have that kind of software for almost all phones. http://flexispy.com/ [flexispy.com] and plenty others, I'm sure.
I suppose it might be nefarious that they don't even need physical access to your phone to install it. But the install feature probably asks for user confirmation before receiving a "push" install from your carrier, just like my cheap Samsung dumbphone.
If you really want control, I suppose you could put http://www.cyanogenmod.com/ [cyanogenmod.com] on your Android phone. Is that affected?
Re:Call me clueless (Score:5, Interesting)
GPLv2 to bait you in, Apache 2.0 to close you down if needed.
You write the 'free' apps, hunt bugs, preach about the 'freedoms', Google tracks, sells ads, data mines, a push and profit with a sting in the tail it seems.
Re:kinda scary (Score:5, Interesting)
And besides, it's not like google is targeting you specificaly, they target all phones with that app installed. The purpose of it is to remove a malicious app before it can do any more damage.
Example: I make an app branded as a porn site viewer, it works as one but it also sends information gathered from your sdcard/phone for some nefarious deeds. Removing it from the market would stop the app from spreading, but it has already been installed on thousands of phones, setting a flag on the market for "uninstall from phone NOW" would fix this.
I know google could be more gentle about it and warn the user and ask for the app to be removed, but it's not like they use it on every app that pisses them, only on those that disregard their stated rules. So far google has been following the rules, so articles like this are just spreading FUD.
Re:No (Score:4, Interesting)
Re:Thank you for the exploit, sir. (Score:3, Interesting)
Re:kinda scary (Score:2, Interesting)
I suppose it might be nefarious that they don't even need physical access to your phone to install it. But the install feature probably asks for user confirmation before receiving a "push" install from your carrier, just like my cheap Samsung dumbphone.
Right. Because the DELETE_ASSET API sure asked for confirmation before deleting those apps from potentially MILLIONS of Android phones.
Oh, wait...