Benvenuto nel Poliverso

Per qualche giorno saremo un po' lenti...

Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

wired.com/story/google-android…

reshared this

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:

github.com/GrapheneOS/adevtool…

Add command to list system files with filters · GrapheneOS/adevtool@9c5ac94

Android device support and bringup tool, designed for maximum automation and speed. - Add command to list system files with filters · GrapheneOS/adevtool@9c5ac94

^GitHub

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

Here's a thread from 2017 posted from our project's previous Twitter account which was stolen in 2018:

x.com/CopperheadOS/status/9033…

Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.

in reply to GrapheneOS

GrapheneOS

in reply to GrapheneOS • 5 mesi fa • •

Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:

therecord.media/google-to-remo…

Still not good enough.

Google to remove app from Pixel devices following claims that it made phones vulnerable

Google and a cybersecurity company are in a dispute over claims that an application on Android phones left the devices vulnerable to cyberattacks and spyware.

^{therecord.media}

⇧

GrapheneOS 5 mesi fa • •

GrapheneOS
5 mesi fa • •