Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Has Android Remote App Install Power, Too

Posted by timothy on from the coming-and-going dept.

Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"

5 of 278 comments (clear)

  1. Really? by parc · · Score: 5, Interesting

    You mean they can remotely install apps over the air just like every other modern phone on every other carrier I've ever seen?

    This is a non-story -- OTA install is pretty much required by every carrier out there so they can force you to upgrade your phone.

    1. Re:Really? by Hizonner · · Score: 5, Interesting

      Actually, according to a talk by Rich Cannings, Google's "Android Security Leader", at Usenix Security '09 in Montreal, Google can choose whether or not to have your phone ask you for permission for an OS upgrade. If they think it's important enough, they reserve the "right", and definitely retain the technical capability, to install an upgrade without asking. The carriers can probably also do OTA upgrades on their own initiative; that part wasn't clear to me.

      The whole tone of his talk was scary. There was no sign that he could imagine that somebody might not want to trust Google with total control of their phone, or that such distrust could possibly be legitimate if it did exist. His whole attitude reeked of "we know better than you do", and he seemed to think of the phone's owner more as a security threat than as the person who should be setting security policy. And he didn't even mention the possibility that Google might get compromised.

      He also seemed to think of the Android open source project as something to push code to as an afterthought, rather less important than the carriers... whose interests he seemed to think were terribly, terribly important.

      It was not reassuring.

      And, yes, my understanding matches yours. The article says that they can also install apps, in addition to OTA OS upgrades. In fact, as I read the supporting material, the Market application works by pushing an "INSTALL_ASSET" message to your phone... the same message they'd use to spontaneously install an app. So there's no fixing the problem without either disabling the Market entirely or patching the implementing code.

      And of course an OS upgrade could contain code to do anything they want, including enabling them to install apps if they weren't already able to do so.

  2. Isn't Android Open Source? by warrior_s · · Score: 5, Interesting

    Excuse my ignorance... but why is this a surprise when android is an open source OS? Why has anyone not noticed this in the source code!! Or is only kernel open source and not the other parts?

  3. Re:Call me clueless by AHuxley · · Score: 4, Interesting

    Google wanted control so they pushed http://en.wikipedia.org/wiki/Android_(operating_system)
    GPLv2 to bait you in, Apache 2.0 to close you down if needed.
    You write the 'free' apps, hunt bugs, preach about the 'freedoms', Google tracks, sells ads, data mines, a push and profit with a sting in the tail it seems.

    --
    Domestic spying is now "Benign Information Gathering"
  4. Re:kinda scary by MikeDaSpike · · Score: 5, Interesting

    Not to mention, google already announced you will be using this feature before. If you haven't seen this years google I/O then I'll tell you: you will be able to install apps on your phone from any device in the cloud.

    And besides, it's not like google is targeting you specificaly, they target all phones with that app installed. The purpose of it is to remove a malicious app before it can do any more damage.

    Example: I make an app branded as a porn site viewer, it works as one but it also sends information gathered from your sdcard/phone for some nefarious deeds. Removing it from the market would stop the app from spreading, but it has already been installed on thousands of phones, setting a flag on the market for "uninstall from phone NOW" would fix this.

    I know google could be more gentle about it and warn the user and ask for the app to be removed, but it's not like they use it on every app that pisses them, only on those that disregard their stated rules. So far google has been following the rules, so articles like this are just spreading FUD.