Google's remote Android app installer explained
Phone downloads powered from desktop
Why has Google given itself the power to remotely install applications on citizens' Android phones? It will eventually offer a desktop-browser-based version of its Android app marketplace, allowing netizens to install apps on their Android phones using a browser on their PC.
The company demoed this desktop-based Android Market in late May at its annual developer conference in San Francisco. Vice president of engineering Vic Gundotra and one of his minions showed how users will soon have the power to press a download button inside their browser and have an application automatically show up on their Android phone.
"What happens today on other systems?" said Gundotra, alluding to Apple's App Store setup on its desktop iTunes. "You find the app, you download it to your PC or Mac. You then have to tether your device. Once it's down on your PC, you have to convert it over that tethering to your device and then make that sync happen.
"Well, guess what? We discovered something really cool. It's called the internet."
As explained by independent security researcher Jon Oberheide late last week, Google maintains a persistent connection to netizen Android phones that allows the company to not only remotely remove applications from user devices but remotely install them as well. The REMOVE_ASSET tool was no secret – it's mentioned in the terms of service for Google's app store, the Android Market – but although Gundotra demoed the thing in May, the INSTALL_ASSET tool hadn't been discussed before Jon Oberheide outed it late last week.
When we asked Google about the INSTALL_ASSET tool, a Google spokesman said the company "is not providing comment on this matter." But Google already uses the INSTALL_ASSET tool when you download applications from the existing Android Market – the one that sits on your phone – and Gundotra's demo makes it clear that it will be used in other ways in the near future.
"The INSTALL_ASSET functionality does start to make a bit of sense if Google does indeed plan to roll out functionality to browse the Android market on your PC and initiate app installs directly to your phone," Jon Oberheide says.
But Oberheide – employed by the Ann Arbor, Michigan-based security startup Scio Security – is still concerned that the remote install tool could be compromised by miscreants. According to his research, Google's connection to Android Phones – known as GTalkService – is not protected with any authentication other than SSL.
"So if an attacker is able to compromise the integrity SSL connection, as we've seen happen [before]... they will be able to spoof INSTALL_ASSET messages and install applications on the victim's device," he tells us.
"Google can and should take some steps to harden the GTalkService mechanism. It might not satisfy the privacy advocate crowd, but it will at least help us security folk sleep better at night."
The "privacy crowd" just doesn't like the fact that Google has the ability to install whatever it likes on their personal handsets. And they feel much the same way about its kill switch.
Last last month, Google actually used its REMOTE_ASSET tool – the so-called kill switch – to remove two applications built by... Jon Oberheide. With a blog post, Oberheide revealed that Google removed two apps he used to demonstrate how easy it would be to bootstrap a rootkit onto Android phones via the Android Market.
Oberheide built a "RootStrap" app that periodically phoned home to retrieve native code that executed outside of Dalvik, the Android Java virtual machine. He then distributed the app through the Android Market in the guise of another app, "Twilight Eclipse Preview", which pretended to be a sneak peek of the teen vampire flick.
Google also announced the removal via a blog post its own, but it did not name Oberheide or his applications.
New research from Oberheide indicates that the "kill switch" can only be used with applications that have been downloaded through the Android Marketplace. "If you install an app from a source outside the Android market, Google will not be able to remote kill it (at least not directly)," he says.
Nonetheless, the kill switch is particularly unsettling. It's little different from Amazon's Orwellian ability to remotely vanish books from its Kindle ereader. Amazon may say it won't remove books again, but it can be legally compelled to do so. Or it may use it in an effort to avoid legal action.
If you would rather carry an Android phone that only allows you to remove and install applications, Oberheide says he's developing a tool that will allow you to disable Google's remote services. But this will only work with rooted phones. ®