![final [GrapheneOS] π±ποΈβπ¨οΈ's avatar](https://image.nostr.build/d837117ca56e292d9f16143a673f47fdb0c3f7273573a2394b1892b3c8c8a688.jpg)
This is a fake story: https://x.com/cryps1s/status/1824077327577591827
Turns out that getting security information from the CISO of a mass surveillance company trying to build a dystopian police state providing police with "predictive policing" software largely based on racial stereotypes is a bad move.
Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility. Trail of Bits is working closely with Palantir and is focused on getting government contracts. They've created a fake news story to promote their EDR product which has been propagated across mainstream media. Journalists didn't do basic due diligence and spread false marketing.
Verizon has a suite of low-level apps for Android devices to fully use their network. These are included on any Android device with full Verizon support. Pixels disable the packages unless a Verizon SIM is active. This is equivalent to having them installed/uninstalled on demand. One of the apps in this suite is the Showcase retail demo app for Verizon to show off phones in their store. It requires manually up the phone as a retail demo device. Verizon says they don't use it anymore. This demo app is where Trail of Bits / iVerify found an HTTP connection.
In order to exploit Verizon's demo app not verifying a signature for the downloaded config or even fetching it via HTTPS, it would already need to be set up to use retail demo mode. The contractors Verizon paid to implement it did a bad job, but it's not a Pixel security issue. Since it's an obsolete app that Verizon isn't using anymore, the stock Pixel OS already removed it in Android 15 which is visible in the Android 15 Beta. The other Verizon apps needed to fully use their network which get activated with a Verizon SIM are of course still included.
#GrapheneOS has been omitting these carrier apps since around 2015. This meant GrapheneOS users weren't able to use Sprint and can't use certain features on Verizon like Wi-Fi calling. Apple has a special deal with Verizon and implements what the control they want as part of iOS. The restrictions set in Verizon's carrier configuration and the functionality implemented by these apps is a major part of why they prevent installing an alternate OS on any device sold by Verizon. They want to control how people use features like tethering and Wi-Fi calling.
Every month, a bunch of real vulnerabilities are patched for Android on Pixels. A subset of these including all High and Critical severity issues in Android itself get backported to older Android releases for non-Pixels too. iVerify's finding isn't even a Low severity issue. Supposedly reputable news organizations including the Washington Post, New York Times, Wired, etc. are largely acting as press release distribution service for governments and corporations. If it fits a narrative they want to tell, there's no attempt to question or confirm it.
Trail of Bits employees should think over whether they want to be part of building a police state with pervasive surveillance as Palantir partners. You're not even working at a reputable security company anymore. Trail of Bits has become the charlatans they used to criticize.
#security #privacy
