this post was submitted on 15 Aug 2024
33 points (70.4% liked)

Android

17403 readers
423 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

πŸ”—Universal Link: [email protected]

πŸ’‘Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.

Support, technical, or app related questions belong in: [email protected]

For fresh communities, lemmy apps, and instance updates: [email protected]

πŸ’¬Matrix Chat

πŸ’¬Telegram channels / chats

πŸ“°Our communities below

Rules

  1. Stay on topic: All posts should be related to the Android OS or ecosystem.

  2. No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to [email protected].

  3. Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to [email protected].

  4. No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.

  5. No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.

  6. No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.

  7. No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.

  8. No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.

  9. No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!

  10. No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

Chat and More

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
33
Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App (www.wired.com)
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]
22 comments fedilink hide all child comments
 

Mirror: https://web.archive.org/web/20240815141445/https://www.wired.com/story/google-android-pixel-showcase-vulnerability/

top 22 comments
sorted by: hot top controversial new old
[–] [email protected] 46 points 1 month ago (1 children)

iVerify vice president of research Matthias Frielingsdorf points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it. The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings.

Just a bit of alarmism then, with something that can be easily removed in an update.

[–] [email protected] 7 points 1 month ago

Not only can it be removed, they've already said it going to happen soon.

[–] [email protected] 44 points 1 month ago (1 children)

The story isn't nearly as dramatic as it seems. Maybe this thread can offer some nuance: https://grapheneos.social/@GrapheneOS/112967309987371034

[–] [email protected] 6 points 1 month ago

Thanks for sharing!

[–] [email protected] 24 points 1 month ago (3 children)

The issue relates to a software package called β€œShowcase.apk” that runs at the system level and lurks invisible to users. The application was developed by the enterprise software company Smith Micro for Verizon as a mechanism for putting phones into a retail store demo modeβ€”it is not Google software. Yet for years, it has been in each Android release for Pixel and has deep system privileges, including remote code execution and remote software installation. Even riskier, the application is designed to download a configuration file over an unencrypted HTTP web connection that iVerify researchers say could be hijacked by an attacker to take control of the application and then the entire victim device.

"flaw"

any idea if de-google phones have this "feature"

[–] [email protected] 27 points 1 month ago

The app isn't enabled by default so stock Pixels aren't even vulnerable without physical access to an unlocked device.

[–] [email protected] 8 points 1 month ago

I couldn't find the APK on my pixel 5 running lineage so I think only stock-based roms should be affected. I checked using an APK extractor app that lists all system apps including things like 3 button navigation bar.

[–] [email protected] 5 points 1 month ago

GrapheneOS doesn't include this, along with many other unnecessary carrier apps

[–] [email protected] 10 points 1 month ago (2 children)

I have doubts that this apk is enabled and running on all pixels, it's especially not on custom roms such as Graphene (I just checked my own).

[–] [email protected] 8 points 1 month ago

The GrapheneOS guys also explained why this isn't nearly as bad as it sounds, and how Wired is simply fearmongering: https://grapheneos.social/@GrapheneOS/112967309987371034

[–] [email protected] 7 points 1 month ago (1 children)

Yeah, doesn't look like it affects GrapheneOS. More validation of my choice to run Graphene I guess.

[–] [email protected] -1 points 1 month ago (1 children)

I'm too stupid to install it. Would've liked to plonk it on my old tablet instead of throwing it into the trash.

[–] [email protected] 6 points 1 month ago (1 children)

It's only compatible with modern Pixel devices, so unless you're old tablet is a Google Pixel Tablet, you can't install it anyway. But the installer is super easy to use (if you have a compatible device). It's literally all in your web browser.

[–] [email protected] 1 points 1 month ago (1 children)

It's an old Xperia Z4 and there's a few custom images on the forums. But the "how to" suggest using a tool that does not even exist in that version and is otherwise so sparse on information that I gave up after that.

[–] [email protected] 1 points 1 month ago (1 children)

I don't recommend installing random builds from forums like XDA. GrapheneOS definitely doesn't have an official version for anything other than Pixels, you might want to try LineageOS if you want to throw the tablet out anyway

[–] [email protected] 0 points 1 month ago (1 children)

you might want to try LineageOS

Same thing there basically.

[–] [email protected] 1 points 1 month ago (1 children)

Oh man, I just looked up the Xperia Z4 and noticed that it's like 10 years old. Can't say that I'm surprised that there are basically no ROMs.

[–] [email protected] -1 points 1 month ago

Well, yes - what else am I going to install a custom rom on other than a device that is no longer receiving actual system updates but still works fine? And as I said, there are a couple roms on the forums, just with very lacking installation instructions.

[–] [email protected] 6 points 1 month ago

Kind of a nothing burger

[–] [email protected] 1 points 1 month ago (1 children)

All these updates and they let this get by. That's pretty ridiculous.

[–] [email protected] 8 points 1 month ago (1 children)

Don't let this misleading Wired article fearmonger you. I recommend this thread, which provides some nuance to this drama: https://grapheneos.social/@GrapheneOS/112967805820394815

[–] [email protected] 2 points 1 month ago

Many thanks. I'll check it out.