This is unfortunate.
Wired, in my opinion, became nothing much better than a rag a few years back. Guess times are tough in the online journalism sphere and they have to revert to fear and division to get clicks.
This is unfortunate.
Wired, in my opinion, became nothing much better than a rag a few years back. Guess times are tough in the online journalism sphere and they have to revert to fear and division to get clicks.
Has Google published a response thus far?
locked They gave a response to most of the news publications but it was largely ignored and downplayed. You can see they're arguing against what's being said in the 2nd article we linked:
https://therecord.media/google-to-remove-app-pixel-vulnerable
They likely gave almost exactly the same response to each news publication and most of them simply largely ignored it and went along with the security company (iVerify). Trail of Bits created iVerify and spun it off into a separate company a year ago but is still closely tied to it. They may have portrayed themselves as not being tied to iVerify and helped push the story. The whole thing is incredibly shady and they shouldn't be surprised we fight back against their misinformation.
I just read the article, and it appears that both iVerify and Palantir, both have a grudge against Android, and Pixel phones in particular. There appears to be little credibility to the story.
locked The CEO would be an Apple fanboy, it's almost funny with a name like “iVerify”.
The mainstream press is now announcing that a serious vulnerability has been lurking in Pixel phones for years, when in fact it hasn't. It's been deactivated and only concerns Pixel phones sold by Verizon in the USA, it is really disproportionate, yes this story has no credibility.
@GrapheneOS what do that mean for Software that's audited by Trail of Bits?
Hat Trail of Bits used to be a reputable organization and did useful contract work. They've fallen very far. The CEO and the company can't really take all the credit for their past employees and contractors doing good work. They're going to start struggling to get real talent due to their partnership with Palantir and this kind of spreading misinformation to promote themselves. People aren't going to want to work there.
It just seems that Palantir and iVerify are trying to create bad press for Android, and particularly the Pixel line, and smear them, when the exact opposite is true. One does not have to look further than Cellebrite's recent report on the latest Pixel line to be able to debunk these false asssertions.. The likely reason, they are frustrated by the Titan M2 Chip. These accusations are just a way to leverage pressure against Google. Governments and digital security companies have done this before. Google is not alone in being attacked.
GrapheneOS This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.
Could you explain why you needed to go through the carrier apps? Surely, they are not a part of AOSP. Do you base some of GrapheneOS on stock Pixel OS? Just curious.
And the fact that there is a diabled package in stock Pixel OS shouldn't be a problem (like these companies claim). The big problem is that Google Play and Services has all the privileges that this package would have had (if it was enabled). But for some reason, the society as a whole trust that Google does not abuse this unprecedented access that they have on billions of android phones. If I am not wrong about my assumption. Please correct me if I am wrong.
Panda-na The dozen Verizon carrier apps including this one for retail demos in their stores are a Verizon Android user issue, not a Pixel issue. GrapheneOS doesn't include these kinds of carriers apps.
Do you base some of GrapheneOS on stock Pixel OS? Just curious.
We need firmware, configurations, a subset of the driver libraries (the kernel drivers are fully open source though), etc. from the stock OS on the supported devices. The amount of that stuff we need has decreased a lot with Tensor Pixels and we hope it decreases further. If we had our own devices with a hardware partnership, we could build some of the firmware ourselves.
Pixels include a suite of Verizon apps like all other Android devices with full Verizon support. GrapheneOS doesn't fully support Verizon with features like Wi-Fi calling due to not including these. Sane carriers don't require this. Verizon is uniquely bad. The Verizon apps are completely disabled on Pixels unless you have an active Verizon SIM. The way they're disabled is equivalent to them being uninstalled without a Verizon SIM and then installed on-demand when you have one. They require a lot of privileged permissions to function but it's a non-issue if you aren't a Verizon user.
The retail demo app they found a vulnerability in is pretty much irrelevant though. It's not active even with a Verizon SIM. You would need to set up the device to be in that retail demo mode. The security vulnerability was relevant to the demo devices in Verizon stores, but wiping them via factory reset purges all of it. Verizon said they aren't using it anymore and it has been removed from the stock Pixel OS in Android 15 which can be seen from the Android 15 Beta but it wasn't a real issue for Pixel users even if they did use Verizon.
It's ridiculous for this to get so much attention when it's not even a valid low severity vulnerability. It really shows how hopeless mainstream media is at covering privacy and security issues. They get completely manipulated to push marketing from security companies scamming people.
https://x.com/cryps1s/status/1824077327577591827
This is a fake story. Turns out that getting security information from the CISO of a mass surveillance company trying to build a dystopian police state providing police with "predictive policing" software largely based on racial stereotypes is a bad move.
Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility.
Trail of Bits is working closely with Palantir and is focused on getting government contracts. They've created a fake news story to promote their EDR product which has been propagated across mainstream media. Journalists didn't do basic due diligence and spread false marketing.
Verizon has a suite of low-level apps for Android devices to fully use their network. These are included on any Android device with full Verizon support. Pixels disable the packages unless a Verizon SIM is active. This is equivalent to having them installed/uninstalled on demand.
One of the apps in this suite is the Showcase retail demo app for Verizon to show off phones in their store. It requires manually up the phone as a retail demo device. Verizon says they don't use it anymore. This demo app is where Trail of Bits / iVerify found an HTTP connection.
In order to exploit Verizon's demo app not verifying a signature for the downloaded config or even fetching it via HTTPS, it would already need to be set up to use retail demo mode. The contractors Verizon paid to implement it did a bad job, but it's not a Pixel security issue.
Since it's an obsolete app that Verizon isn't using anymore, the stock Pixel OS already removed it in Android 15 which is visible in the Android 15 Beta. The other Verizon apps needed to fully use their network which get activated with a Verizon SIM are of course still included.
GrapheneOS has been omitting these carrier apps since around 2015. This meant GrapheneOS users weren't able to use Sprint and can't use certain features on Verizon like Wi-Fi calling. Apple has a special deal with Verizon and implements what the control they want as part of iOS.
The restrictions set in Verizon's carrier configuration and the functionality implemented by these apps is a major part of why they prevent installing an alternate OS on any device sold by Verizon. They want to control how people use features like tethering and Wi-Fi calling.
Every month, a bunch of real vulnerabilities are patched for Android on Pixels. A subset of these including all High and Critical severity issues in Android itself get backported to older Android releases for non-Pixels too. iVerify's finding isn't even a Low severity issue.
Supposedly reputable news organizations including the Washington Post, New York Times, Wired, etc. are largely acting as press release distribution service for governments and corporations. If it fits a narrative they want to tell, there's no attempt to question or confirm it.
Trail of Bits employees should think over whether they want to be part of building a police state with pervasive surveillance as Palantir partners. You're not even working at a reputable security company anymore. Trail of Bits has become the charlatans they used to criticize.
I think instead of writing a whole essay about the issue, which doesn't concern GOS, it would
be easier to say which privileged apps are included in GOS rather than specifying which are not.
Not many AOSP apps are included, it's easy to see in the source and releases, but GOS lacks the
transparency of what is currently included from AOSP and for which reason. I'm talking about stock
AOSP apps, and the logic behind including them or not. This hasn't been clear on the website page.
Just to rephrase, I'm not saying GOS is not transparent behind the development and goals.
There are just few apps that are inherited from AOSP which I believe should not be there.
Settings > Apps > All Apps > 3 dots ... > show system. Many questionable stuff there.
Many security companies throw hoax stories like that here and then, it's fine, it's a marketing thing
for their product. Not sure that GOS has to "debunk" those marketing fluffs each time and end up
with bad relations among potential customers of those companies, since when you end up in a so-called
"Twitter debate" it will just make regular users question who is defending what. My 2 cents.
23Sha-ger Settings > Apps > All Apps > 3 dots ... > show system. Many questionable stuff there.
There are many threads here on the forum where people found something "questionable" and asked about it then someone explained the purpose of the app or service. All of GrapheneOS's code is on GitHub for anyone to look at. There's nothing questionable there. If you have a question, ask it, but don't just make vague claims that there's questionable apps or services included in GrapheneOS.
23Sha-ger Many security companies throw hoax stories like that here and then, it's fine, it's a marketing thing for their product.
It's not fine and in this case it's relevant to GrapheneOS. GrapheneOS users in the community saw the news and were concerned that the app in question is included in GrapheneOS. Similarly, GrapheneOS users outside of our community may see the "news" and worry, but may not see the project's response to the article.
One article that I read even said that the Android team's response was something to be concerned about. If Android is insecure, what does that say about GrapheneOS? It makes total sense that GrapheneOS project members publicly respond to this fake news story.
23Sha-ger Settings > Apps > All Apps > ⋮ > show system. Many questionable stuff there.
Everything is "questionable". And pretty much everything contains bugs!
GrapheneOS is an open-source project. Pull requests and security notifications can be made via standard mechanisms. The web site contains detailed build instructions, so individuals can build their own variants, including leaving "questionable" components out or replacing them.
Thank you for delivering such a carefully debloated but also feature-enabled OS! You are doing great work.
I encourage everyone to donate to GrapheneOS, as this OS is crucial.
kebab_definite
That exactly was my thought while reading it!
Because I am also a user of SimpleX, the alternative messenger app with the newest and greatest technology, which messengers today can have.
Unfortunately, its founder Evgeny Poberezkin let make the audits by Trail of Bits.
One about the protocols maybe in September and a complete new audit at the end of this year.
@GrapheneOS nice work, I was about to ask and then spotted this thread :-)
Eagle_Owl we will see how they handle it. I have a eye on it. :)