Post by AndrewPost by Jeff LaymanI assume that showcase.apk was removed when grapheneOS was installed as
that is intended for use in Pixel phones.
You're correct that "showcase.apk" seems to be the culprit, according to
this news article about the Pixel flaw which shipped since 2017 apparently.
*Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017*
<https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html>
"The issue relates to "Showcase.apk," a bit of software made for
Verizon and used to put Pixel devices in demo mode while displayed
in retail stores.
The software downloads a configuration file over an unencrypted
web connection, which - because of Showcase's deep access - might
allow bad actors to perform remote code execution or remote
package installation on the device.
The especially troubling part of this discovery is that Showcase
can't be uninstalled at the user level. And while it is not
enabled by default, iVerify said there could be multiple ways
to activate the software. iVerify alerted Google to the
vulnerability in May; thus far there's no confirmed evidence
it's been exploited in the wild.
A Google spokesperson told Wired that Showcase is no longer being
used by Verizon and that Google would have a software update to
remove the software from all Pixel devices in the coming weeks.
Additionally, the rep said Showcase is not present in the line
of Google Pixel 9 devices announced during the Made by Google
event this week."
Firstly, I tried finding out the answer to my question about
Showcase.apk and grapheneOS but I couldn't tie the search down enough,
as "showcase" is a word often used!
Does/did it affect only Pixel phones? The Washington Post article states
"The feature appears intended to give employees at stores selling Pixel
phones *and other models*..." (my emphasis).
There's a lot more info at
<https://iverify.io/blog/iverify-discovers-android-vulnerability-impacting-millions-of-pixel-devices-around-the-world>.
In particular, the "Conclusion" has some real food for thought. I'll
repeat it here:
"The Showcase.apk discovery and other high-profile incidents, like
running third-party kernel extensions in Microsoft Windows, highlight
the need for more transparency and discussion around having third-party
apps running as part of the operating system. It also demonstrates the
need for quality assurance and penetration testing to ensure the safety
of third-party apps installed on millions of devices.
Further, why Google installs a third-party application on every Pixel
device when only a very small number of devices would need the
Showcase.apk is unknown. The concern is serious enough that Palantir
Technologies, who helped identify the security issue, is opting to
remove Android devices from its mobile fleet and transition entirely to
Apple devices over the next few years. On most devices iVerify
researchers analyzed, the app was inactive by default and had to be
manually enabled. To avoid endangering users, we are redacting our way
of enabling the app in the full report. There might be other ways to
enable the app or situations where the app is enabled by default."
Anyway, I'm not at all surprised by this little episode. I've said many
times before that I don't trust Google or any of the phone manufacturers
(and it will no doubt get worse with the independent Chinese
manufacturers putting their heavily adapted versions of android on their
phones) to not spy on their customers. Or, as in the case of showcase,
to mess up enough so that others can!
So good luck with the iverify.io comment "... highlight the need for
more transparency and discussion around having third-party apps running
as part of the operating system". And what about first-party apps
running that we don't know about, and probably never will?
--
Jeff