lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Oct 2020 16:24:48 -0400
From: Adrian Sanabria <adrian.sanabria@...il.com>
To: "Enrico Weigelt, metux IT consult" <lkml@...ux.net>
Cc: fulldisclosure@...lists.org, certbund@....bund.de
Subject: Re: [FD] Google's Android: remote install backdoor in Google Play
	Services

If I recall correctly, iOS and MacOS work in much the same way. They can
push and remove software from devices at will. There are precedents of
Google and Apple using this power, generally to get rid of malware that
made it past app store detection and review mechanisms.

This isn't anything new and it has been standardized across both major
mobile platforms. Of course, that doesn't mean there aren't legal
implications, I'm simply pointing out it isn't unique to Google/Android and
it isn't a secret.

The ability to remove apps is what gets the most press, but I recall
hearing that both platforms have the ability to add apps as well.

https://mashable.com/2011/03/06/android-kill-switch/
https://www.macworld.com/article/1134930/iphone_killswitch.html
https://www.businessinsider.com/brazil-orders-apple-to-use-iphone-app-kill-switch-2014-8

Regards,
Adrian

On Fri, Oct 16, 2020 at 1:09 PM Enrico Weigelt, metux IT consult <
lkml@...ux.net> wrote:

> On 14.07.20 19:19, Michael Lazin wrote:
>
> Hello folks,
>
> > Could you please provide more detail.
>
> In short, Google's playstore receives notifications from Google and
> installs any app that Google wants to be installed - without any further
> notification or even interaction of the user.
>
> Google silently controls your device as soon you enter an google account.
>
> Actually, it's not a bug, but a on-purpose backdoor. I've published it
> here, in order to let everybody know. Futher actions have to be done by
> the enforcement agencies.
>
> > I am not seeing how this is an
> > attack.  The Debian apt system which predates the play store seems to
> > work under the same principle.
>
> No, apt only acts on explicit operator commands. There is no way for
> Debian folks to *push* anything at will out onto individual machines.
> And you can also configure which repos are used. Google's Appstore
> (and Playservices) is in no way comparable.
>
> > The debian security team pushes updates which not only
> > install software with patches but the dependencies as well.
>
> Absolutely not, they don't push anyting onto user's machines. They just
> upload new versions. It's up to the user to run upgrades, if he decides
> to. And the user can configure which repos to use / trust.
>
> > The
> > vulnerability you appear to be speaking about seems to be a fundamental
> > way the concept of an app store works,
>
> Yes, this vulnerability is on-purpose. Therefore I call it a backdoor.
> No way for the user to do anything about it - execept for flashing a
> google-free OS. Legally, this is a criminal act.
>
> > it must include a method of
> > pushing patches as new exploits are published.
>
> No, it does not need to. Pushing here means Google decides what's going
> to installed when on the device - user has no control over that, and
> even doesn't get informed. And it's not just for patches, but also for
> deploying completely new software.
>
>
> --mtx
>
> --
> ---
> Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
> werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
> GPG/PGP-Schlüssel zu.
> ---
> Enrico Weigelt, metux IT consult
> Free software and Linux embedded engineering
> info@...ux.net -- +49-151-27565287
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists