Forgot your password?
typodupeerror
Google Security Cellphones Handhelds Operating Systems Software Technology

Google Has Android Remote App Install Power, Too 278

Posted by timothy
from the coming-and-going dept.
Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"
This discussion has been archived. No new comments can be posted.

Google Has Android Remote App Install Power, Too

Comments Filter:
  • by Anonymous Coward

    Google has been taken over by Jawas.

  • kinda scary (Score:5, Insightful)

    by grapeape (137008) <{moc.rr.ck} {ta} {7epopm}> on Friday June 25, 2010 @09:54PM (#32699506) Homepage

    So how long until we see someone attempt to exploit this?

    • Re:kinda scary (Score:5, Insightful)

      by FooAtWFU (699187) on Friday June 25, 2010 @10:16PM (#32699606) Homepage
      How long until someone exploits this? Well, I bet Google or some other vendor will try to sell it as part of an offering for businesses within the next 2 years. Remote software installs would be very useful in the enterprise.
      • Re:kinda scary (Score:5, Insightful)

        by MrNaz (730548) on Friday June 25, 2010 @10:30PM (#32699676) Homepage

        I think that remote anything should be opt-in by the user, or, in an enterprise setting, should be added on by the enterprise before distributing the units. I do not welcome the idea that *all* Android handsets will have remote add/remove package functionality out of the box, for all users.

        Imagine the fun law enforcement and government agencies will have with this. Remote install app that silently forwards mic input to an eavesdropper.

        Is there even a way to turn this feature off? I.e., lets say I buy a handset and I definitely do *not* want Google nuking my apps remotely or adding apps to my phone remotely without my knowledge.

        This is the reason that I think the FOSS community should back MeeGo. It's the only *true* open source system out there that's open enough that the Many Eyeballs principle can be applied to, and that is open enough that we'll eventually see custom distros of the OS emerging.

        • Re:kinda scary (Score:4, Insightful)

          by Anonymous Coward on Friday June 25, 2010 @10:47PM (#32699752)

          Imagine the fun law enforcement and government agencies will have with this. Remote install app that silently forwards mic input to an eavesdropper.

          Then they can remote install some kiddy porn images so they have excuse to raid his house and confiscate all his computer equipment.

        • Re: (Score:3, Interesting)

          by rwa2 (4391) *

          Meh, they have that kind of software for almost all phones. http://flexispy.com/ [flexispy.com] and plenty others, I'm sure.

          I suppose it might be nefarious that they don't even need physical access to your phone to install it. But the install feature probably asks for user confirmation before receiving a "push" install from your carrier, just like my cheap Samsung dumbphone.

          If you really want control, I suppose you could put http://www.cyanogenmod.com/ [cyanogenmod.com] on your Android phone. Is that affected?

          • Re:kinda scary (Score:5, Interesting)

            by MikeDaSpike (1196169) on Saturday June 26, 2010 @12:51AM (#32700280)
            Not to mention, google already announced you will be using this feature before. If you haven't seen this years google I/O then I'll tell you: you will be able to install apps on your phone from any device in the cloud.

            And besides, it's not like google is targeting you specificaly, they target all phones with that app installed. The purpose of it is to remove a malicious app before it can do any more damage.

            Example: I make an app branded as a porn site viewer, it works as one but it also sends information gathered from your sdcard/phone for some nefarious deeds. Removing it from the market would stop the app from spreading, but it has already been installed on thousands of phones, setting a flag on the market for "uninstall from phone NOW" would fix this.

            I know google could be more gentle about it and warn the user and ask for the app to be removed, but it's not like they use it on every app that pisses them, only on those that disregard their stated rules. So far google has been following the rules, so articles like this are just spreading FUD.
        • by fishexe (168879)

          It's the only *true* open source system out there that's open enough that the Many Eyeballs principle can be applied to, and that is open enough that we'll eventually see custom distros of the OS emerging.

          Although I get your point, I'd say the Many Eyeballs principle is working with Android, given that this article exists.

        • Re:kinda scary (Score:4, Insightful)

          by Lemming Mark (849014) on Saturday June 26, 2010 @05:28AM (#32701258) Homepage

          MeeGo also has the advantage of not reinventing the entire userspace, thus remaining closer to what we generally consider a GNU/Linux system. Android is quite slick in practice but it does upset me that it's so non-standard in every possible way :-(

    • by AnAdventurer (1548515) on Friday June 25, 2010 @11:44PM (#32700024)
      I am working one it. Just one more line of code, almost there.
    • Re: (Score:3, Insightful)

      by gregor-e (136142)
      An exploit for remote app installs should come about as soon as an exploit for the automatic OS update feature. Chances are good they both use similar protections.
    • Re: (Score:3, Funny)

      by SETIGuy (33768)
      Why would they need to? They could write an app to do it. And then they wouldn't need to hack google.
  • by BlueBoxSW.com (745855) on Friday June 25, 2010 @09:54PM (#32699508) Homepage

    Slashdot headline would have been:

    "Evil Apple Hides Secret Rootkit Installer on All iPhones"

    • by Mitchell314 (1576581) on Friday June 25, 2010 @10:09PM (#32699586)
      Then it wouldn't have been news. :P
    • Slashdot headline would have been:

      "Evil Apple Hides Secret Rootkit Installer on All iPhones"

      Any moment now, people will start saying that Google is the New Apple, which is the New Microsoft, which is the New...what? Commodore?

      • by ChatHuant (801522) on Friday June 25, 2010 @11:34PM (#32699978)

        Any moment now, people will start saying that Google is the New Apple, which is the New Microsoft, which is the New...what? Commodore?

        IBM, grasshopper, Microsoft used to be the new IBM. Learn your history!

        • But what's IBM? The new AT&T?
        • by fishexe (168879)

          Any moment now, people will start saying that Google is the New Apple, which is the New Microsoft, which is the New...what? Commodore?

          IBM, grasshopper, Microsoft used to be the new IBM. Learn your history!

          Microsoft was never the new anything. They basically invented the business model of selling software to hardware vendors, so anyone that replaces them in that capacity is the new Microsoft, but they are the original. This was never IBM's market.

    • Slashdot headline would have been: "Evil Apple Hides Secret Rootkit Installer on All iPhones"

      Well, that's essentially how we are taking this news, right? Same difference, but Android users don't need the more colorful language to comprehend what's going on. The reporting was spot on, and we get it, without alarmism.
  • Really? (Score:5, Interesting)

    by parc (25467) on Friday June 25, 2010 @10:01PM (#32699542)

    You mean they can remotely install apps over the air just like every other modern phone on every other carrier I've ever seen?

    This is a non-story -- OTA install is pretty much required by every carrier out there so they can force you to upgrade your phone.

    • Re: (Score:3, Interesting)

      by gimmebeer (1648629)
      A new OS version or patch, sure. An app, not so much. My Android phones doesn't OTA update without prompting me and me approving it. The meat of the article, in my understanding, is that they have a function that will automagically install or remove an app without user interaction. Is that not correct?
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        A new OS version or patch, sure. An app, not so much. My Android phones doesn't OTA update without prompting me and me approving it. The meat of the article, in my understanding, is that they have a function that will automagically install or remove an app without user interaction. Is that not correct?

        As far as I can tell, Yes. One instance I could see/understand is for this is Google provided programs that are included with the phone (Maps, Gmail, Browser, ext) being forced to a newer version.

      • Yes but think about it, if there is a terrible vulnerability in the browser, I think I'd like Google to patch it even if it didn't have an entire new kernel and the like.

        Chances are your browser is going to be the most targeted part of any OS and it is an app.
        • Yes but think about it, if there is a terrible vulnerability in the browser, I think I'd like Google to patch it

          I would prefer that Google didn't put a browser on my phone that contains a "terrible vulnerability".

          • Re: (Score:3, Interesting)

            by Darkness404 (1287218)
            Right, because we all know that there are perfectly secure computers. Perfectly secure software. Silly Google for not adding in Perfectly Secure Browser V 1.0

            Lets face it, the only secure computer is one in a perfectly secure vault, powered off and has the only person know where the vault is killed.
            • by Americano (920576)

              If it's google software, it's "Perfectly Secure Browser (Beta!)" and will remain so for a good couple years before it reaches v 1.0.

      • Re:Really? (Score:5, Interesting)

        by Hizonner (38491) on Friday June 25, 2010 @10:29PM (#32699674)

        Actually, according to a talk by Rich Cannings, Google's "Android Security Leader", at Usenix Security '09 in Montreal, Google can choose whether or not to have your phone ask you for permission for an OS upgrade. If they think it's important enough, they reserve the "right", and definitely retain the technical capability, to install an upgrade without asking. The carriers can probably also do OTA upgrades on their own initiative; that part wasn't clear to me.

        The whole tone of his talk was scary. There was no sign that he could imagine that somebody might not want to trust Google with total control of their phone, or that such distrust could possibly be legitimate if it did exist. His whole attitude reeked of "we know better than you do", and he seemed to think of the phone's owner more as a security threat than as the person who should be setting security policy. And he didn't even mention the possibility that Google might get compromised.

        He also seemed to think of the Android open source project as something to push code to as an afterthought, rather less important than the carriers... whose interests he seemed to think were terribly, terribly important.

        It was not reassuring.

        And, yes, my understanding matches yours. The article says that they can also install apps, in addition to OTA OS upgrades. In fact, as I read the supporting material, the Market application works by pushing an "INSTALL_ASSET" message to your phone... the same message they'd use to spontaneously install an app. So there's no fixing the problem without either disabling the Market entirely or patching the implementing code.

        And of course an OS upgrade could contain code to do anything they want, including enabling them to install apps if they weren't already able to do so.

        • Re:Really? (Score:5, Insightful)

          by TheEyes (1686556) on Friday June 25, 2010 @10:59PM (#32699822)

          ...he seemed to think of the phone's owner more as a security threat than as the person who should be setting security policy.

          To be fair, he does have a point, if in fact that was his view. I mean, how many zombified PCs are out there now, DDoSing servers and spamming the planet, just because their owners can't manage (at a bare minimum) to enable Automatic Updates? Millions? Tens of millions?

          I know hating Google is in vogue these days, but let's be honest here: so far, they're no Microsoft. They're not a convicted monopoly; they've gone out of their way to invest real resources in opening their services, actually spending money to make it easier for people to migrate away from Gmail and Google Docs; they sponsor and promote open source; and they compete by constantly making their products better, rather than trying to strong-arm people into buying their junk. So yeah, until they show otherwise, I'm going to be cautiously optimistic and give them the benefit of the doubt.

          The question is, is there a way for paranoid individuals to turn this capability off if they want to. Let the Joe Sixpacks of the world live in blissful ignorance, and let Google keep them from bringing the cell networks down with their inability to properly patch and protect their phones; just give me the ability to opt out if I know the risks, and choose to take them.

          • by Dhalka226 (559740)

            The question is, is there a way for paranoid individuals to turn this capability off if they want to.

            There shouldn't be, for all the reasons you gave in support of why users really ARE a security threat rather than the ones who should be setting security policy for their phones. If the question is "does Google or the owner know better whether or not something should be installed?" the answer can't be "Google, but they should make a checkbox that says 'lulz just kidding, I'm smarter, turn it off.'" It's

            • by fishexe (168879)

              The question is, is there a way for paranoid individuals to turn this capability off if they want to.

              There shouldn't be, for all the reasons you gave in support of why users really ARE a security threat rather than the ones who should be setting security policy for their phones.

              There should be, for the reason that only some users are a security threat (as described in GP, the ones whose PCs are DDOS-bots and such) while others are not (those of us who update regularly and don't run untrusted executable downloads or other shifty things).

              If the question is "does Google or the owner know better whether or not something should be installed?" the answer can't be "Google, but they should make a checkbox that says 'lulz just kidding, I'm smarter, turn it off.'" It's not logically consistent.

              It's not logically consistent only if you assume all users are identical. isn't it more reasonable to say that Google is better at deciding than those users who never figure out where the check box is or never care enough to check it, and Google is

            • Re: (Score:2, Insightful)

              by TheEyes (1686556)

              How is that not consistent? For the vast majority of users, a phone is an appliance, just like a PC is an appliance, or a refrigerator, or a car. They don't know what is involved in maintaining that phone, or the security risks associated with using the phone, nor are they particularly inclined to care; they have more important things to do with their lives, like hold down a job, take care of kids, keep up with politics to be a better informed voter, etc. For these sorts of people, whom I suspect makes up a

        • Re: (Score:3, Interesting)

          by drinkypoo (153816)

          There was no sign that he could imagine that somebody might not want to trust Google with total control of their phone,

          There's no such thing as trusting them with partial control of your phone because if they can push anything to your phone they can probably root it. So either install your own distribution of Android (perhaps CM) and disable this functionality or accept that others will be helping you manage your phone.

      • Re: (Score:3, Insightful)

        by msauve (701917)
        Just because the updates which have come out already have asked you to update doesn't mean that is a prerequisite. You are implying ("An app, not so much.") that other phones can't update an app. Not true. "Every other phone" allows carriers to to do over the air updates. If they want to do an app, they can, by pushing a full image which includes that app. That Android is more modular, and allows_just_ an app to be pushed should be considered a benefit, as it allows a less risky way of updating things. Whet
      • Re: (Score:3, Insightful)

        by FlyingBishop (1293238)

        The line between OS version and app is entirely arbitrary, and Google is working to move more of the OS functionality into apps.

        From a security standpoint, if Google has access to this, they have access to the OS anyway, installing/removing apps is not a big deal. They already have root on your device (and you don't.)

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      my old blackberry had a similar feature; which was often exploited by verizon wireless to push icons for new apps and services to my phone without my permission and there was nothing i could do about it...

      • My guess is though, Google isn't going to do that. Carriers are their number one hindrance to innovation.
    • by Kludge (13653) on Friday June 25, 2010 @10:55PM (#32699800)

      My "most modern phone", the N900, is not bound to any carrier, and I am quite certain that my carrier does not have the ability or a clue how to install anything on it. I'm root. Not them.

      Apple and Android folks: Enjoy being someone else's bitch.

      Was this post obnoxious? Yes, in a very nerdy way.

      • Dang it, I'm much happier with T-Mobile (except for the lack of 3G at home) than I ever was with AT&T, but now I really want an N900 (even more than I did yesterday). I've also been considering switching to Credo Mobile, since the liberal-progressive/ethical niche they've been claiming suits my own beliefs. Just not sure about using a smaller company, even though they apparently use Sprint's network, or shelling out a bunch for a new phone when I'm mostly happy with mine. Too much information! Go back!!
      • Seriously, this is a worthwhile point. Maemo (OS on the N900) *IS* Linux, not a fancy face on top of it that takes away your control. The default user is not root, but you can become root. The package manager software is setuid root, but you can fix that if you want to make it impossible to install apps without entering a password.

        • Which is just about the same as Android, then. Google releases the Android source so you could patch the install mechanism if you wanted to. I'm root on my Nexus 1 - that is basically just a command away.

          The thing is, just because I am root and has access to the source code doesn't mean there aren't backdoors that hasn't been detected yet. I don't see how Maemo is different in that regard. Or say, Ubuntu. There COULD be a hidden backdoor somewhere, cleverly obfuscated for when Mark Shuttleworth wants to tak

    • Nokia phones do not have this "american feature".
      And I am happy with that.
    • I'm guessing that you're in the US, in that case. My carrier can push updates to the SIM card (which they provided), but they don't even get told what kind of phone I'm using and there is no feature for them to push updates to it. Even SIM updates require me to permit them, although if I don't then (theoretically, at least), my phone could lose the ability to connect to the network.
  • Not so terrible (Score:5, Insightful)

    by Darkness404 (1287218) on Friday June 25, 2010 @10:19PM (#32699616)
    Really, this makes a bit more sense than having 234234234324234 OS updates every year. The majority of updates can be done by removing/updating apps, not to mention security patches. Really, some phones already have the latest Android they will ever get, barring rooting. But people will keep using that phone for 4+ years, that is a long time to have a security flaw out there that could steal information. Since the browser is going to be the main attack vector which is an app, it makes sense.

    While this could be used to push more carrier crapware, I think updates and upgrades of installed apps are more likely to work for more phones and easier for the average user to use.

    In all honesty, would you rather be using an outdated version of a browser with security flaws because your phone doesn't support Android 2.75 Double Chocolate Chunk Cookie or just have your browser update to a more secure version OTA?
  • by John Hasler (414242) on Friday June 25, 2010 @10:26PM (#32699660) Homepage

    ...when Slashdot raises a stink about them removing it.

    "Oops. Sorry. Here's your keylogger back."

  • Calling it INSTALL_ASSET makes it seem so real.
  • Does anyone remember the android demo at Google IO where they showed the remote install feature from the android market on a desktop browser in froyo? Seriously, just because there is remote install functionality in the OS doesn't mean that it's there for malicious or secret use -- it's most likely part of a user facing feature.
    • Someone already commented that the Market app likely pushes such commands to your phone.

      If true, then I have to ask - do you get any confirmation popups after clicking the install button? (I don't have an Android phone or device, so I wouldn't know)

    • by HiThere (15173)

      What it means is that it there for use. Good or bad don't enter into it, it's a capability.

      Once you realize that the capability is there, you can make an informed decision. (Personally, I've decided that I'm not buying an Android either. I've already made this decision about many other platforms, but I had been thinking about getting an android.)

      It's coming up to time to decide on a new phone. It looks like I'll be going with the cheapest one again rather than buying a fancy one. But there are still a

    • Seriously, just because there is remote install functionality in the OS doesn't mean that it's there for malicious or secret use -- it's most likely part of a user facing feature.

      For the most part, I trust Google, T-Mobile, and even Microsoft. I don't question their intentions, or their desire to keep us and the networks as secure as is reasonably possible. But sometimes things go awry, and capabilities for remotely forced installs could of course theoretically be co-opted by someone with more malicious
  • by warrior_s (881715) <kindle3@[ ]il.com ['gma' in gap]> on Friday June 25, 2010 @11:36PM (#32699990) Homepage Journal
    Excuse my ignorance... but why is this a surprise when android is an open source OS? Why has anyone not noticed this in the source code!! Or is only kernel open source and not the other parts?
    • by AHuxley (892839) on Saturday June 26, 2010 @12:37AM (#32700202) Homepage Journal
      Apache 2.0 and GPLv2. Open for you to fix and enjoy, closed where needed for them to fix you.
    • Re: (Score:2, Insightful)

      by SpazmodeusG (1334705)

      Pretty much only the kernel is open source and not the other parts.
      The Google apps, the main interface API, and anything relating to the market are well locked down.

      The Android is not a phone you should get if you want an open source phone. Try the OpenMokos.

      • by dmesg0 (1342071) on Saturday June 26, 2010 @07:26AM (#32701664)

        Pretty much only the kernel is open source and not the other parts.

        This is incorrect. Most of android is in AOSP, including the kernel, dalvik, UI, launcher, dialer, all the libs etc. You can build a fully working system from the open source components (that's how cyanogenmod is built).

        Only the google-specific applications (Maps, gmail, gtalk, google market, facebook, google voice ) are not open source. Many of them can be replaced with alternatives if one wants to release a system without paying to google: e.g. SlideMe market, one of many different e-mail/gps apps, etc.

        You can check the AOSP contents here [kernel.org].

  • one day you look at your phone: hey, there's a bing icon

    couple of months later: look at that, a skype icon

    it's vaguely unsettling, to be reminded of how raped you are in terms of privacy

  • This is great news (Score:2, Insightful)

    by OrangeTide (124937)

    Because Android is still less evil and invasive than iOS.

    I'm not trying to troll, but really. if you compare the the two platforms one is mostly open and one is glued shut.

    • by iluvcapra (782887) on Saturday June 26, 2010 @01:55AM (#32700498)

      I'm not trying to troll, but really. if you compare the the two platforms one is mostly open and one is glued shut.

      I'm not trying to troll, but really; if you compare the two platforms one is mostly bought and paid for by the handset purchaser, the other is free to the consumer and OEM but is distributed with the intent of selling mobile eyeballs to advertisers. What could possibly go wrong?

  • I know of several countries that will be interested in this.
    And I'm already halfway through the security around that code.
    This is a cakewalk compared to cracking the PS3 hypervisor.

    • Re: (Score:3, Interesting)

      by TheRaven64 (641858)
      Exactly my thought. It's not like Google has never found their servers compromised by China, for example. I'm surprised that the US government isn't a little concerned that Google has just potentially handed China the ability to turn every single Android phone into a bug. I wonder if this is part of the reason why GCHQ does not permit Android phones for government use in the UK...
  • by mlts (1038732) * on Saturday June 26, 2010 @03:10AM (#32700760)

    It is what a blackhat would be able to do if they were able to find Google's private key.

    • by Spad (470073)

      Or what they could do with Windows Update if they were able to find Microsoft's private key.
      Or with the iPhone if they were able to find Apple's private key.
      Or Ubuntu with Canonical's.
      And so on.

  • How is this different from automatic updates? Is it initiated by the phone (pull), or by a remote entity (push)? Is it usable by 3rd parties?

  • My response (Score:4, Funny)

    by hey! (33014) on Saturday June 26, 2010 @07:31AM (#32701676) Homepage Journal

    I cast "root device" then "alter /etc/hosts".

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...