Google Has Android Remote App Install Power, Too

Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"

Re:Drive-by installing

You're just flat wrong. WPA isn't compromised in any way even remotely as badly as WEP was/is.

WPA:TKIP can, in certain cases with certain AP's allow one to inject packets into the network. Packets won't come back to the attacker.
Perhaps one can use that as a way to leverage some additional resources to attack a network. Certainly, I wouldn't feel good with someone being able to inject packets - but it's not a game-over exploit like WEP was.

WPA-AES: There's simply no known attack against the cypher. You might be able to brute-force the key - but that's an issue of any shared-secret system - it doesn't have anything to do with the crypto in WPA:AES. The solution is to use a large key-space (all ascii characters, not just uppercase alpha's for example.) and long-ish. 10 chars or more. Bonus points for more random and less guessable secrets.

So, IMO, to claim "...it's not that much more secure than WEP was when it was introduced." is really a massive overstatement due to ignorance, at best or just plain falsehoods at worst.

Re:kinda scary

[MobileTatsu-NJG]

I am working one it. Just one more line of code, almost there.

I like to lick butts!

Re:Really Really Really? No.

[cbhacking]

Seriously, this is a worthwhile point. Maemo (OS on the N900) *IS* Linux, not a fancy face on top of it that takes away your control. The default user is not root, but you can become root. The package manager software is setuid root, but you can fix that if you want to make it impossible to install apps without entering a password.