Posted on 06/29/2010 12:52:55 AM PDT by Swordmaker
The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well.
Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones.
"I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too," Oberheide said in an interview. "I don't know if they've used it yet."
Oberheide created a program called RootStrap, which he described as a proof-of-concept application to show how an attacker could bootstrap a rootkit on a mobile device. He then posted a benign version of the app on the Android Market under the name "Twilight Eclipse Preview" as a way to get users to download it. About 200 people installed the application, which periodically contacts a remote server to pull down native ARM code. In a real-world attack, that code would be malicious payloads, but in the benign version that Oberheide posted, it did nothing.
During his research, Oberheide had found out about the remote-wipe functionality in Android, called REMOVE_ASSET. After he spoke publicly about RootStrap, Google asked him to remove the app from the Market, which he did. A short time later, he saw a noitification on his Android phone telling him that the app had been removed from the device. This was the first time that Google had used the functionality, Google said in a blog post this week.
"The remote application removal feature is one of many security controls Android possesses to help protect users from malicious applications. In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users. While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users’ safety when needed," Google's Rich Cannings, the Android security lead, wrote.
Oberheide said that during his discussion with Cannings he got the sense that Google was working hard on the security aspects of Android and the Market itself.
"They're doing a good job, but there's certainly stuff that they could tighten up on," he said. "There are some security concerns that come along with the open marketplace, but I think that's just part of their model, and they're committed to this open model."
Many, if not most, Android owners likely had no idea that the REMOVE_ASSET function existed, and Google's use of it generated quite a bit of publicity and concerns about privacy and security for Android owners. However, Oberheide, the co-founder of startup Scio Security and a PhD candidate at the University of Michigan, said that wasn't nearly as interesting as the other half of the equation.
"Now, the Android platform not only allows for the removal of applications remotely via the REMOVE_ASSET intent, but also allows for the installation of new applications via the INSTALL_ASSET intent. If some people are upset that Google retains the ability to kill applications remotely (I personally prefer the potential security gains of the functionality), I fear what they’d think of the INSTALL_ASSET feature," he wrote in a blog post explaining his research and the removal and install features.
The INSTALL_ASSET feature raises a number of privacy and security questions, particularly the question of what rights the software maker has to modify the code on users' devices. Code changes, in the form of patches and feature updates, are obviously commonplace and most users give little thought to the changes. But few customers likely have contemplated the possibility of Google, Apple, Microsoft or another vendor forcing the installation of a new application on their phones.
"While remotely removing apps might ruffle the feathers of people who like the feeling of having full control over their device, the remote install functionality is of more concern from a security perspective. As I mention on slide #14, if an attacker is able to MITM this SSL GTalkService connection for a particular device, it may be possible to spoof these INSTALL_ASSET messages to deliver a malicious application payload. If Google’s GTalkService servers were compromised, the malicious impact would obviously be a bit more widespread," Oberheide wrote.
what makes you think it’s not on the iphone?
my guess... the feds ‘requested’ the feature for all upcoming telcom devices
Jon Oberheide is a deceptive jackass.
Don’t you be downloading anything, even harmless anythings, to my mobile under false pretenses. Jackass.
The only thing that made his virus “harmless” is because it pulled down harmless code. All he has to do is change the code on his home server, and you got yerself a paperweight that looks like a mobile phone...
Seems to me the greater danger is someone hacking the install, remotely attacking Droids without the user having to do anything.
I will be getting an Android phone at the end of August. Can't wait!
fyi
How is this different from automatic updates or virus scans?
The diff is you install the virus scanner which then does DLs on your behalf hopefully from a trusted source. The install/remove asset can be done by anyone it seems which may or may not be connected w/ the purpose of the app initially loaded. You DL an app which then does install/remove asset of who knows what. Also it seems google has the machinery to do mass or focused install/remove asset. I suspect, as someone already said, the govt could use this feature to DL ‘things’ to a persons phone. It could be used for good or bad depending on the goals of the agency involved.
Interesting; sounds like Google is being proactive and removing actual malware - malware that the author specifically developed and rolled-out for that purpose.
Two applications - where the author openly stated they were malware proof-of-concept for Android and the iPhone - out of tens of thousands.
Personally, I wouldn’t be upset about Apple or Microsoft doing this; it’s what malware software does, if it’s decent software (meaning can actually remove, rather than just prevent installation).
An interesting question: what about those with jailbroken iPhones who have the malware still installed? I wonder if they are still being infected by this application?
True.
The install/remove asset can be done by anyone it seems which may or may not be connected w/ the purpose of the app initially loaded.
Now that's a leap; is there any indication that anyone can do this?
You DL an app which then does install/remove asset of who knows what.
And how is that different from what happens now for every app purchased over the Internet, for any phone?
Also it seems google has the machinery to do mass or focused install/remove asset.
As does Blackberry and WinMo. It's actually standard for any phone used in a large-corporate environment, as it gives the company the ability to do OTA updates of installed software as needed. I'd be very surprised if iOS didn't have this, or if Apple was choosing not to use it.
Not to mention that your carrier can do an OTA firmware update of your phone...
‘Now that’s a leap; is there any indication that anyone can do this?’
The article seems to indicate it can and was done. All you have to do is create an ‘app’ and once thats in place youre good to go.
On a broader scale I suspect anyone w/ the correct credentials and/or knowledge can hit a bigger audience.
Put this into perspective tho...do you really want someone forcing s/w to YOUR phone? A company phone is a totally diff thing b/c you dont own it.
No, the function call exists on the OS, but only the OS vendor (or owner) can call it; you cannot have another app call it.
Put this into perspective tho...do you really want someone forcing s/w to YOUR phone?
No, I do not. And that's why I run Windows Mobile; you cannot push apps to or remotely remove apps from my phone (I do not have Enterprise OTA functionality installed).
And of course, if you buy an app for your iPhone and Apple then yanks that app, you lose it as well. Your apps will disappear if Apple yanks them from the App Store, much like Google with Android.
But the best part is that Apple screws the vendor by not refunding their commission on the sales. Yes, they will sell the app, take their 30%, and then when they yank the app they keep the 30% and you - Mr. Developer - have to refund the full amount. How's that for unethical behavior!
Good question... I have no problem with remote removal of apps... remote instal is another thing. I also would worry about "man-in-the-middle" attacks, especially on Android and jailbroken iPhones, where apps are not required to be signed.
Once again, we have you reposting already REFUTED and proved wrong information. You were told this, with links, in a previous instance where you posted it. WHY do you post the same mis-information again?
That was posted over a year ago... and it had not been posted as a major issue again. Do you think that if it were Apple's policy to issue refunds and to charge back the full 100% to the developers there wouldn't be a bigger hullaballoo than just a few articles? Even in the discussion on that article developers chimed in to say that THEY were credited 70% when the sale was made... and debited 70% when a refund was made. REFUTING the allegations made by someone with an axe to grind.
Although the clause does say that Apple retains the right to keep the 30%, it also says Apple "may" issue the consumer the refund and that that keeping the 30% is linked to the reason the refund is issued:
"...a Licensed Application fails to conform to Your specifications or Your product warranty or the requirements of any applicable law, Apple may refund to the end-user the full amount of the price paid by the end-user for that Licensed Application. In the event that Apple refunds any such price to an end-user, You shall reimburse, or grant Apple a credit for, an amount equal to the price for that Licensed Application. Apple will have the right to retain its commission on the sale of that Licensed Application, notwithstanding the refund of the price to the end."
So far there are very few developers who have complained that Apple has retained the 30%... and many who have said they haven't.
OK, before you start your rant:
I NEVER SAID THAT BEFORE. This is the FIRST time I’ve seen this story. Go shoot your wad at someone else because IT’S NOT ME.
So quit jumping down my throat. You got a problem with what I posted? Then post other information. Otherwise take a deep breath and chill.
This was a nice calm thread until you came in...
So I await your apology.
This’ll be a hacker’s wet-dream in about a week or so - now that everyone knows it’s there, I’m sure there’s a botnet someplace working on a hack. I’ll stick with my dumb cell phone, and for important things, face-to-face conversation.
And it is still calm... but truthful as well. Nor am I ranting.
I will apologize, Puget... because I think, now, it probably was not you. But the FUD spreaders blur togethers... especially when the phraseology is the same. I have refuted that canard at least twice before... but it keeps popping up.
Apple does not cheat its developers. However, if they produce an app that does not do what they claim it does, they do have the right to reclaim their costs.
Fair enough?
So far there are very few developers who have complained that Apple has retained the 30%... and many who have said they haven't.
Is troubling. Especially in the case I linked. Functionality of the application did not change, and Apple approved - and sold - the app for 4 months before yanking it. And since Apple is the sole arbiter of when that happens, and sole arbiter if the developer has to "pay back 100%", well, I know I wouldn't develop for them.
They decide if you can sell, they decide for how long you sell, they can change their decisions at any time, and YOU carry the financial responsibility and impact for their decisions. Not cool at all. Makes sense why so many developers are moving to Android.
Also, it confirms that Apple has a remote-removal as well - pull from the App store, pull from your phone. With my WinMo phone, I don't have a pretty store, but if the app is pulled I still have it; it's mine, I paid for it, I have a local copy of the application that cannot be removed.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.