Re: Washington Post says Google sold Android phones with hidden insecure feature

On 16/08/2024 03:27, Andrew wrote:

Jeff Layman wrote on Thu, 15 Aug 2024 22:31:17 +0100 :
 

I assume that showcase.apk was removed when grapheneOS was installed as
that is intended for use in Pixel phones.

 You're correct that "showcase.apk" seems to be the culprit, according to
this news article about the Pixel flaw which shipped since 2017 apparently.
  *Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017*
  <https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html>
   "The issue relates to "Showcase.apk," a bit of software made for
   Verizon and used to put Pixel devices in demo mode while displayed
   in retail stores.
    The software downloads a configuration file over an unencrypted
   web connection, which - because of Showcase's deep access - might
   allow bad actors to perform remote code execution or remote
   package installation on the device.
    The especially troubling part of this discovery is that Showcase
   can't be uninstalled at the user level. And while it is not
   enabled by default, iVerify said there could be multiple ways
   to activate the software. iVerify alerted Google to the
   vulnerability in May; thus far there's no confirmed evidence
   it's been exploited in the wild.
    A Google spokesperson told Wired that Showcase is no longer being
   used by Verizon and that Google would have a software update to
   remove the software from all Pixel devices in the coming weeks.
    Additionally, the rep said Showcase is not present in the line
   of Google Pixel 9 devices announced during the Made by Google
   event this week."

Firstly, I tried finding out the answer to my question about Showcase.apk and grapheneOS but I couldn't tie the search down enough, as "showcase" is a word often used!
Does/did it affect only Pixel phones? The Washington Post article states "The feature appears intended to give employees at stores selling Pixel phones *and other models*..." (my emphasis).
There's a lot more info at <https://iverify.io/blog/iverify-discovers-android-vulnerability-impacting-millions-of-pixel-devices-around-the-world>. In particular, the "Conclusion" has some real food for thought. I'll repeat it here:
"The Showcase.apk discovery and other high-profile incidents, like running third-party kernel extensions in Microsoft Windows, highlight the need for more transparency and discussion around having third-party apps running as part of the operating system. It also demonstrates the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices.
Further, why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown. The concern is serious enough that Palantir Technologies, who helped identify the security issue, is opting to remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years. On most devices iVerify researchers analyzed, the app was inactive by default and had to be manually enabled. To avoid endangering users, we are redacting our way of enabling the app in the full report. There might be other ways to enable the app or situations where the app is enabled by default."
Anyway, I'm not at all surprised by this little episode. I've said many times before that I don't trust Google or any of the phone manufacturers (and it will no doubt get worse with the independent Chinese manufacturers putting their heavily adapted versions of android on their phones) to not spy on their customers. Or, as in the case of showcase, to mess up enough so that others can!
So good luck with the iverify.io comment "... highlight the need for more transparency and discussion around having third-party apps running as part of the operating system". And what about first-party apps running that we don't know about, and probably never will?
--
Jeff