Oddbean new post about | logout
final [GrapheneOS] 📱👁️‍🗨️ | 3 months ago (raw) | export | reply | flag +17 
 Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

https://www.wired.com/story/google-android-pixel-showcase-vulnerability/

iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.

This is one of multiple carrier apps in the stock Pixel OS which we don't include in #GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.

"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."

"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."

Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.
Deleted | 3 months ago (raw) | root | parent | reply | flag 
 Thanks a lot for what your building. Much appreciated🙏🔥
final [GrapheneOS] 📱👁️‍🗨️ | 3 months ago (raw) | root | parent | reply | flag 
 #GrapheneOS has gone through each of the carrier apps included on each Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for the late ProtonAOSP and GrapheneOS in 2021:

https://github.com/GrapheneOS/adevtool/commit/9c5ac945f#diff-95eb7b50f2781158146e721436d7c5d6f7421755906307a6b7a1f727bb20d53eR109

GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.

Here's a thread from 2017 posted from our project's previous Twitter account which was stolen by Copperhead in 2018:

https://x.com/CopperheadOS/status/903362108053704704

Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.

Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.

Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.

It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.
ETT | 2 months ago (raw) | root | parent | reply | flag 
 Tldr for dummies?
final [GrapheneOS] 📱👁️‍🗨️ | 2 months ago (raw) | root | parent | reply | flag 
 A company that sells a security theater product  that misleads people about detecting sophisticated remote attacks made a misrepresented claim that an unused, disabled app meant to run on Pixels for display in stores is an exploitable component. Mainstream media went with it without doing prior research.

Pixels cannot enable this app without physical access with ADB which requires the user's password, or a sophisticated remote execution exploit that would be more dangerous than the security implications they are trying to imply are.

GrapheneOS does not bundle this app and we were aware of it for years (2017 or earlier) so it's irrelevant to GrapheneOS users. It's scaremongering for marketing for a product that they can't even possibly do what they claim.
ETT | 2 months ago (raw) | root | parent | reply | flag 
 Understand thanks! Glad Im running G on my Pix and I appreciate the work yall do
final [GrapheneOS] 📱👁️‍🗨️ | 2 months ago (raw) | root | parent | reply | flag 
 This is an unused app previously used for demo phones for display at phone stores. Android 15 already removed it. GrapheneOS hasn't bundled apps like this since 2015. You need a physical access and the device's password, or an extremely sophisticated remote attack with filesystem access to enable it. By that point, you have way more access and control than this app ever did.

The disclosing party (iVerify) sell a dubious app marketed to protect you against sophisticated remote attacks like Pegasus but cannot do what it claims. They also collaborated with Palantir, a surveillance company trying to sell "predictive policing" tech. It is a scaremongering tactic meant to market their dubious products.

nostr:nevent1qqs064ylrdmt8unyk0yymafphtwlpqv39yf392zgn6ffd93da9wt63cppemhxue69uhkummn9ekx7mp0qgsvzkj6vkvxu745zdx7uw4c2f2d5hzafvzw0z60zmyzsdce9564rpgrqsqqqqqpk3crf9