Feeds

Google's remote Android app installer explained

Phone downloads powered from desktop

The Essential Guide to IT Transformation

Why has Google given itself the power to remotely install applications on citizens' Android phones? It will eventually offer a desktop-browser-based version of its Android app marketplace, allowing netizens to install apps on their Android phones using a browser on their PC.

The company demoed this desktop-based Android Market in late May at its annual developer conference in San Francisco. Vice president of engineering Vic Gundotra and one of his minions showed how users will soon have the power to press a download button inside their browser and have an application automatically show up on their Android phone.

"What happens today on other systems?" said Gundotra, alluding to Apple's App Store setup on its desktop iTunes. "You find the app, you download it to your PC or Mac. You then have to tether your device. Once it's down on your PC, you have to convert it over that tethering to your device and then make that sync happen.

"Well, guess what? We discovered something really cool. It's called the internet."

As explained by independent security researcher Jon Oberheide late last week, Google maintains a persistent connection to netizen Android phones that allows the company to not only remotely remove applications from user devices but remotely install them as well. The REMOVE_ASSET tool was no secret – it's mentioned in the terms of service for Google's app store, the Android Market – but although Gundotra demoed the thing in May, the INSTALL_ASSET tool hadn't been discussed before Jon Oberheide outed it late last week.

When we asked Google about the INSTALL_ASSET tool, a Google spokesman said the company "is not providing comment on this matter." But Google already uses the INSTALL_ASSET tool when you download applications from the existing Android Market – the one that sits on your phone – and Gundotra's demo makes it clear that it will be used in other ways in the near future.

"The INSTALL_ASSET functionality does start to make a bit of sense if Google does indeed plan to roll out functionality to browse the Android market on your PC and initiate app installs directly to your phone," Jon Oberheide says.

But Oberheide – employed by the Ann Arbor, Michigan-based security startup Scio Security – is still concerned that the remote install tool could be compromised by miscreants. According to his research, Google's connection to Android Phones – known as GTalkService – is not protected with any authentication other than SSL.

"So if an attacker is able to compromise the integrity SSL connection, as we've seen happen [before]... they will be able to spoof INSTALL_ASSET messages and install applications on the victim's device," he tells us.

"Google can and should take some steps to harden the GTalkService mechanism. It might not satisfy the privacy advocate crowd, but it will at least help us security folk sleep better at night."

The "privacy crowd" just doesn't like the fact that Google has the ability to install whatever it likes on their personal handsets. And they feel much the same way about its kill switch.

Last last month, Google actually used its REMOTE_ASSET tool – the so-called kill switch – to remove two applications built by... Jon Oberheide. With a blog post, Oberheide revealed that Google removed two apps he used to demonstrate how easy it would be to bootstrap a rootkit onto Android phones via the Android Market.

Oberheide built a "RootStrap" app that periodically phoned home to retrieve native code that executed outside of Dalvik, the Android Java virtual machine. He then distributed the app through the Android Market in the guise of another app, "Twilight Eclipse Preview", which pretended to be a sneak peek of the teen vampire flick.

Google also announced the removal via a blog post its own, but it did not name Oberheide or his applications.

New research from Oberheide indicates that the "kill switch" can only be used with applications that have been downloaded through the Android Marketplace. "If you install an app from a source outside the Android market, Google will not be able to remote kill it (at least not directly)," he says.

Nonetheless, the kill switch is particularly unsettling. It's little different from Amazon's Orwellian ability to remotely vanish books from its Kindle ereader. Amazon may say it won't remove books again, but it can be legally compelled to do so. Or it may use it in an effort to avoid legal action.

If you would rather carry an Android phone that only allows you to remove and install applications, Oberheide says he's developing a tool that will allow you to disable Google's remote services. But this will only work with rooted phones. ®

Build a business case: developing custom apps

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Trying to sell your house? It'd better have KILLER mobile coverage
More NB than transport links to next-gen buyers - study
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
LIVE TODAY: Speak your brains on SIGNAL-FREE mobile comms
Is goTenna tech a goer? Time to grill CEO, CTO
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.