Trail of Bits the owner of Iverify seems to make some strange claims on Android security together with one of their customers big evil Palentir.
Source:
What I get from it the apps were already known in 2017 and discussed by by the time Copperhead, now GrapheneOS and the CEO of Trail of Bits on at the time Twitter, now X. The app is not included in the latest firmware of Pixel. And now trial of bits ceo claims this discovery. The app surely is horribly insecure but given it is disabled by default it will not run without someone having physical access to the device on beforehand.
The Android version of iVerify does not show you any information of what is detected, not even what is the indicator until you upload your system logs to them. This was already a red flag to me.
The IPhone version does not run in the background as indicated on the website of PG already. This does make it hardly any more useful than just running MVT (whether through iMazing or not)
TLDR I see no reason to keep this recommendsation as it doesnāt add anything beneficial to our users and the company seems to make some FUD.
Google disputed many of iVerifyās claims in response to inquiries from Recorded Future News, explaining that the issue āis not an Android platform nor Pixel vulnerability.ā
Cheers missed that. I guess this thread is not intenting to replicate the discussion on the news but letās assess whether iVerify has actually some benefits to bring to the game. I donāt think so
At first glance, it looks like much of the actionable suggestions the app gives you are settings you should already have enabled (screen lock), or things you should already be cognizant of depending on your threat model (turning on airplane mode).
And all these suggestions can be found in the iOS Overview.
It seems like this app just tells you some settings to change, and Iām not sure that really justifies an entire app. The Showcase thing was also a non-event as as far as I know required physical access and is removed from future versions of Android anyway as itās not used by Verizon anymore. So that basically means there isnāt a problem.
When it comes to privacy Iām always a fan of only installing just what you need to do your work, and not random nag apps like this which donāt really do anything. Likewise, if it can be done in a browser without an app, then perhaps it should be.
I agree with your points. Similar guidance is available in Privacy Guidesā recommended configurations for iOS or from various web-based sources, such as by The New Oil, which doesnāt necessitate downloading a whole app. Especially considering that the iVerify Basic app gathers diagnostic and usage data from users.
Disappointing that the mod (in this instance) was too eager to close the orginal thread (after having themselves derailed it with an offtopic comment) on iVerify.
Itās less dependent on your model on iOS and more dependent on how much data you have, because it involves a full iTunes backup. It may be quicker on Android, but as we already note, it isnāt particularly useful for Android in the first place, so iOS is kind of the primary consideration here.
