| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Oct 2020 16:24:48 -0400 From: Adrian Sanabria <adrian.sanabria@...il.com> To: "Enrico Weigelt, metux IT consult" <lkml@...ux.net> Cc: fulldisclosure@...lists.org, certbund@....bund.de Subject: Re: [FD] Google's Android: remote install backdoor in Google Play Services If I recall correctly, iOS and MacOS work in much the same way. They can push and remove software from devices at will. There are precedents of Google and Apple using this power, generally to get rid of malware that made it past app store detection and review mechanisms. This isn't anything new and it has been standardized across both major mobile platforms. Of course, that doesn't mean there aren't legal implications, I'm simply pointing out it isn't unique to Google/Android and it isn't a secret. The ability to remove apps is what gets the most press, but I recall hearing that both platforms have the ability to add apps as well. https://mashable.com/2011/03/06/android-kill-switch/ https://www.macworld.com/article/1134930/iphone_killswitch.html https://www.businessinsider.com/brazil-orders-apple-to-use-iphone-app-kill-switch-2014-8 Regards, Adrian On Fri, Oct 16, 2020 at 1:09 PM Enrico Weigelt, metux IT consult < lkml@...ux.net> wrote: > On 14.07.20 19:19, Michael Lazin wrote: > > Hello folks, > > > Could you please provide more detail. > > In short, Google's playstore receives notifications from Google and > installs any app that Google wants to be installed - without any further > notification or even interaction of the user. > > Google silently controls your device as soon you enter an google account. > > Actually, it's not a bug, but a on-purpose backdoor. I've published it > here, in order to let everybody know. Futher actions have to be done by > the enforcement agencies. > > > I am not seeing how this is an > > attack. The Debian apt system which predates the play store seems to > > work under the same principle. > > No, apt only acts on explicit operator commands. There is no way for > Debian folks to *push* anything at will out onto individual machines. > And you can also configure which repos are used. Google's Appstore > (and Playservices) is in no way comparable. > > > The debian security team pushes updates which not only > > install software with patches but the dependencies as well. > > Absolutely not, they don't push anyting onto user's machines. They just > upload new versions. It's up to the user to run upgrades, if he decides > to. And the user can configure which repos to use / trust. > > > The > > vulnerability you appear to be speaking about seems to be a fundamental > > way the concept of an app store works, > > Yes, this vulnerability is on-purpose. Therefore I call it a backdoor. > No way for the user to do anything about it - execept for flashing a > google-free OS. Legally, this is a criminal act. > > > it must include a method of > > pushing patches as new exploits are published. > > No, it does not need to. Pushing here means Google decides what's going > to installed when on the device - user has no control over that, and > even doesn't get informed. And it's not just for patches, but also for > deploying completely new software. > > > --mtx > > -- > --- > Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert > werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren > GPG/PGP-Schlüssel zu. > --- > Enrico Weigelt, metux IT consult > Free software and Linux embedded engineering > info@...ux.net -- +49-151-27565287 > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists