Slashdot Mirror
Google Has Android Remote App Install Power, Too
Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"
Google has been taken over by Jawas.
So how long until we see someone attempt to exploit this?
Slashdot headline would have been:
"Evil Apple Hides Secret Rootkit Installer on All iPhones"
Curious as to how this applies to custom ROMs and rooted Android devices. More specifically, since this is a known capability now when will we seem ROMs that specifically disable these features?
I'm sure someone could create a honeypot wifi network that forces all Android devices that connect to it to install a particular app.
Not unless they manage to compromise SSL in order to make the phone think it's talking to Google when it really isn't. If someone manages to do that, we have much bigger things to worry about than a malicious phone app.
Visual IRC: Fast. Powerful. Free.
You mean they can remotely install apps over the air just like every other modern phone on every other carrier I've ever seen?
This is a non-story -- OTA install is pretty much required by every carrier out there so they can force you to upgrade your phone.
I think the name is what's most interesting -- INSTALL_ASSET - that has a distinctly govt feel to it. Gotta wonder.
Yeah because wardriving is soooo terrible. Look, if you don't want people connecting to your wi-fi network hide the SSD and encrypt it securely. If not, then does it matter too much if you lose a few bytes of data? There are very, very, few people who are going to bother even trying to break an encrypted connection, especially when they can go to a cafe and get free internet pretty much everywhere.
Taxation is legalized theft, no more, no less.
Really, this makes a bit more sense than having 234234234324234 OS updates every year. The majority of updates can be done by removing/updating apps, not to mention security patches. Really, some phones already have the latest Android they will ever get, barring rooting. But people will keep using that phone for 4+ years, that is a long time to have a security flaw out there that could steal information. Since the browser is going to be the main attack vector which is an app, it makes sense.
While this could be used to push more carrier crapware, I think updates and upgrades of installed apps are more likely to work for more phones and easier for the average user to use.
In all honesty, would you rather be using an outdated version of a browser with security flaws because your phone doesn't support Android 2.75 Double Chocolate Chunk Cookie or just have your browser update to a more secure version OTA?
Taxation is legalized theft, no more, no less.
...when Slashdot raises a stink about them removing it.
"Oops. Sorry. Here's your keylogger back."
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Calling it INSTALL_ASSET makes it seem so real.
Does anyone remember the android demo at Google IO where they showed the remote install feature from the android market on a desktop browser in froyo? Seriously, just because there is remote install functionality in the OS doesn't mean that it's there for malicious or secret use -- it's most likely part of a user facing feature.
It was Luke who removed the restraining bolt from R2D2.
It is no coincidence that in no known language does the phrase 'As pretty as an Airport' appear.
Look, if you don't want people connecting to your wi-fi network hide the SSD and encrypt it securely
Encrypt it with what, WEP? That would help just as much as not broadcasting your ssid (and, for that matter, as much as MAC filtering). Honestly, these three approaches to "security" won't stop anyone who knows how to book a BackTrack liveCD.
I just pooped your party.
My "most modern phone", the N900, is not bound to any carrier, and I am quite certain that my carrier does not have the ability or a clue how to install anything on it. I'm root. Not them.
Apple and Android folks: Enjoy being someone else's bitch.
Was this post obnoxious? Yes, in a very nerdy way.
You know, we actually have a secure WiFi encryption protocol now. It is called WPA.
Yeah, and really how many people do you think are going to bother? Lets face it, there are a lot easier targets out there to hack for some script kiddie. For a really, really good black hat cracker they'd need some kind of personal motivation (such as bragging that your network at XXXX address is unhackable) for them to bother.
Lets face it, chances are your neighbors aren't 1337 h@x0rz who are just looking to get into your router and redirect all requests to Goatse, the guy out in his car just wants free wi-fi to check Facebook most probably and the rare hacker is going to pick easier targets.
Unless you personally piss off some black-hat cracker, you live next to one, or you happen to live right next to where Defcon is being held, no one is going to bother to hack your wi-fi because no one cares.
Seriously, if everyone was a 1337 computer knowledgeable cracker, we wouldn't have all these crappy computer "help" and installation centers across the country who charge $30 to pop in a PCI card or $50 to spend 5 minutes clicking "next" buttons.
Taxation is legalized theft, no more, no less.
Depending upon the specifics, it's not that much more secure than WEP was when it was introduced. I think the take home on that is that perhaps involving qualified crypto experts and security experts to design that part of the specification is a good thing. Sure it's never going to be 100% secure, but it's almost laughable how quickly the protection turns out to be easily breached.
... or $50 to spend 5 minutes clicking "next" buttons.
That's only $50 dollars an hour, you insensitive clod! Here's the breakdown:
5 minutes of clicking next buttons
55 minutes of WoW (or Minesweeper, Tetris, Facebook, Slashdot, what-have-you).
This so obviously merits $50/hour!
$ make available
Excuse my ignorance... but why is this a surprise when android is an open source OS? Why has anyone not noticed this in the source code!! Or is only kernel open source and not the other parts?
You're just flat wrong. WPA isn't compromised in any way even remotely as badly as WEP was/is.
WPA:TKIP can, in certain cases with certain AP's allow one to inject packets into the network. Packets won't come back to the attacker.
Perhaps one can use that as a way to leverage some additional resources to attack a network. Certainly, I wouldn't feel good with someone being able to inject packets - but it's not a game-over exploit like WEP was.
WPA-AES: There's simply no known attack against the cypher. You might be able to brute-force the key - but that's an issue of any shared-secret system - it doesn't have anything to do with the crypto in WPA:AES. The solution is to use a large key-space (all ascii characters, not just uppercase alpha's for example.) and long-ish. 10 chars or more. Bonus points for more random and less guessable secrets.
So, IMO, to claim "...it's not that much more secure than WEP was when it was introduced." is really a massive overstatement due to ignorance, at best or just plain falsehoods at worst.
one day you look at your phone: hey, there's a bing icon
couple of months later: look at that, a skype icon
it's vaguely unsettling, to be reminded of how raped you are in terms of privacy
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Google wanted control so they pushed http://en.wikipedia.org/wiki/Android_(operating_system)
GPLv2 to bait you in, Apache 2.0 to close you down if needed.
You write the 'free' apps, hunt bugs, preach about the 'freedoms', Google tracks, sells ads, data mines, a push and profit with a sting in the tail it seems.
Domestic spying is now "Benign Information Gathering"
Because Android is still less evil and invasive than iOS.
I'm not trying to troll, but really. if you compare the the two platforms one is mostly open and one is glued shut.
“Common sense is not so common.” — Voltaire
I know of several countries that will be interested in this.
And I'm already halfway through the security around that code.
This is a cakewalk compared to cracking the PS3 hypervisor.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
If you didn't, or this wasn't in them, well... I'd be incredibly surprised.
It is what a blackhat would be able to do if they were able to find Google's private key.
How is this different from automatic updates? Is it initiated by the phone (pull), or by a remote entity (push)? Is it usable by 3rd parties?
2.75 is not Double Chocolate Chunk Cookie. It is Maple Bar
2.80 is Jelly Donut
3.0 is Insulin Shots
It is scary that Google doen't provide an opt out option in the Market app. But there is a way out, at least if the Cyanogen mod is available for your phone: Install the Cyanogen mod without the proprietary Google bits (incudes Market app, Gmail app, text-to-speech etc). I just checked it. The vending apk that is responsible for the OTA removal/install functionality (according to http://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/) is not running on my N1. I get along pretty well without the Market. You can install your apps directly from some download site or you can install apktor which allows you to access public repositories.
Here is a quick thought on this one. Say you are some big drug pusher and you get a "clean" phone from retail. The US government is sure going to be interested in the contents (stuff they can't get by going to your telco). How can they get all the info? Install a silent trojan. Who can do that, Google of course.
It could be quite interesting to do a FOI to see how many times it has been done (Because I am pretty sure it will have been done by now)
http://www.writeitfor.us - Writing IT for the IT generation.
Hmmm. This sounds more like something M$ or Apple (or especially SONY) would do.
Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
Exactly, and he did so first!
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
This is how Google will insert the HYPNOTOAD onto your android phone... ALL GLORY TO THE HYPNOTOAD!...
It's funny how Android owners see the platform as an antidote to Apple's restrictive App Store and other restrictions. Google are just as crazy and dubious as Apple at times.
One can only hope HP manage to do something with Palm. Although the biggest obstacle to that is the fact it will only be on HPs hardware. Lets face it they've not released a good smartphone or PDA in a while.
If someone installs something on my phone at $2/MB I demand they pay for the bandwidth they use!
I did not choose to install the software while on 3G or whatever so why should I be billed for it?
Meanwhile my Android phone just had its first over-the-air system upgrade, losing some of my settings and clearing my entire 7-screen desktop.
Rather than Google worrying about remote app installs and remote app removals, what would be great is if basic things like minor system updates didn't practically reset the damn phone to factory defaults.
My good lady had a similar problem with her iPhone system update a few days ago -- it deleted all of her contacts.
Pretty rubbish technology we're dealing with here :-(
Google has demonstrated that, beyond Froyo, they will add the ability to browse the Android Market and have your phone to install a given app right from the Market by triggering an intent via push message.
How is it shocking that this intent exists prior to the functionality being fully implemented?
At about 31 minutes in: http://www.youtube.com/watch?v=IY3U2GXhz44&feature=channel
Considering that property ownership means "lease until you stop paying property taxes to the City/State/Feds" or "eminent domain" Kelo v. City of New London ...
And if you "own an OEM license for an operating system" that is "non transferrable to another machine" ...
It's not surprising that the "phone you buy and own" is actually controlled by the Manufacturer and can be modified by them over the air at their discretion:
Pertinent examples:
Syrian Radar: http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch/0
Kindle's Orwellian book deletion: http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html
iPhone
This fits the "subscription model" that anti-virus, browser, and now operating systems all use to ensure steady cash-flow and hopefully phase out that frustrating "buy it once" legacy mentality that is also symptomatic of people who don't use credit cards.
I strongly suggest periodically researching alternatives to large corporations that ignore your rights or sense of ownership - i.e. try a different browser (firefox/opera?), a different search engine (hakia.com) , and hopefully somebody will fork Android like Centos does a wonderful job for Red Hat (and then post it on Sourceforge / slashdot).
I cast "root device" then "alter /etc/hosts".
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I can't see how this would be an unsolvable issue for anyone here. I started with a G1 and now have a Nexus One. I rooted the G1 and installed Cyanogen's Rom which completely removed the big G's ability to update my phone in any way. It's even more trivial to do that to the Nexus One than it was the G1. While most people won't install a custom rom on their phones, at least for the anointed Google phones the process isn't hard and nicely takes care of at least a few privacy concerns should you have them. T-Mobile doesn't care if an owner does this and neither does Google. YMMV on other carriers. On the flip side, while I care about privacy I have to admit that the location service offered by giving up a little privacy are very useful to me. A cab driver has to be able to know both where you are and where you want to go in order to provide service and location services are a lot like that. Turn them off when you don't need them.
load "$",8,1
Eeeek!!!!!
Are you kidding?
They'd be keen on getting their hands on the phones- they're making banking apps and the like for them that are less secured in some ways than the web based things because they're thinking the phones are more secure.
They're going to want to PWN those phones for MANY reasons and they'll bother without question- it's just a matter of time.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
to stick with a basic phone. No installs, no web, nothing but phone
Mod me up/Mod me down: I wont frown as I've no crown
This is nothing new. The Blackberrys have the push feature for both service books as well as applications. It may be referred to as an "update", but there's been times where, on a restart or even without, a new "application" appears on my home screen
Don't most rooted phones not have this sort of worry? I could have sworn that most of them disabled at least the OTA update capabilities so that rooted phones didn't get suddenly un-rooted or updated with things that conflict with your own changes.
Of course they have these abilities. That should go without saying.
---- Booth was a patriot ----
I recently discovered something called a "Turbo SIM" located here: http://www.bladox.com/index.php?lang=en It is essentially a tiny microcontroller that sits between your mobile handset and your SIM card(sandwiched). The GSM standard allows network operator approved apps. to run from within the SIM. It is called "SIM toolkit" or STK. Only big business (banks etc) seem to run apps in this STK mode. The TurboSIM makes your handset think your own apps are on the SIM. The programmability of this gadget is cool as the GSM standard says that when the legit SIM is booted up it queries the hardware to find out what its capabilities are and a string of bits are returned from the handset to the SIM. One of these bits indicates whether or not the hardware is capable of OTA updates. Capturing this data and spoofing it would be trivial it would seem and is being done for other reasons (look at the forums). Something to think about.
If it bothers you, comment it out.
Maybe this is for corporate customers who want to push corporate apps out to all their devices.
No, we're obviously not reading the same slashdot. Negative Apple press on slashdot is overwhelmingly troll and fud-like, often with wilful ignorance and ludicrous non-sequiturs - much like Google's negative press.
its been in (nearly all) other OS's for years.
to code or not to code, that is the question.
On the Energy Savings Widget is an option to switch off background network operations. You did not click that off there when you left your homes Wifi range? Then odiously you have agreed to have software installed over 3G!
Yes, I too would prefer a background network operation over WiFi only option.
Am I the only person on Slashdot that thinks that features like this are there for a good reason? Remember how Google announced (at Google I/O 2010) that they were going to allow users to browse the market and install apps directly from a PC, without needing the device connected? Well, how do you all propose that this works without Google being able to install apps on your behalf? A confirmation message on the phone every time you attempt to remotely install an app would be a pain IMO, and render this feature useless. This article just promotes FUD, and isn't really news. Maybe if it was posted before Google announced the feature at I/O 2010, then we should get worried.