Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won’t.
iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.
This is one of multiple carrier apps in the stock Pixel OS which we don’t include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren’t dishonest.
“iVerify vice president of research […] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target’s device before being able to exploit it.”
“The most straightforward way to do this would involve having physical access to a victim’s phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google’s Fernandez emphasized this limiting factor as well.”
Wired should retract the article and explain how they’re going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.
GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:
GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.
Here’s a thread from 2017 posted from our project’s previous Twitter account which was stolen in 2018:
Incredibly important to note that this thread directly involves the CEO of Trail of Bits that’s now claiming their iVerify team discovered these apps.
Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn’t claim credit for discovering this when we became aware of it in 2015.
Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It’s incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We’re not doing anything he hasn’t done himself many times before.
It’s ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.
Since this fits into a standard narrative pushed by mainstream news coverage, their dubious iVerify product will get a massive amount of free promotion from it. They should be criticized for claiming credit for discovering this when they didn’t and for misrepresenting it.
Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:
Still not good enough.
Palantir is a mass surveillance company aiding with egregious human rights violations. CEO of Trail of Bits that’s working with them is a diehard Apple fanboy and has been dismissing GrapheneOS for years. Perhaps he works with Cellebrite and NSO too.