this post was submitted on 22 Aug 2024
10 points (91.7% liked)

GrapheneOS [Unofficial]

1713 readers
1 users here now

Welcome to the GrapheneOS (Unofficial) community

This feed is currently only used for announcements and news.

Official support available on our forum and matrix chat rooms

GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Links

More Site links

Social Media

This is a community based around the GrapheneOS projects including the hardened Android Open Source Project fork, Auditor, AttestationServer, the hardened malloc implementation and other projects.

founded 3 years ago
MODERATORS
 

Reflects extremely poorly on Apple that several of their employees have been involved in spreading fabricated claims about Pixels. Convincing companies/governments to strictly use Apple products with clearly fraudulent claims about Pixels is scandalous.

https://x.com/GerzerSoftware/status/1825226770079244361

We directly talked about iVerify being a sandboxed app fundamentally incapable of providing significant defenses against sophisticated attackers:

https://x.com/GrapheneOS/status/1824194291591417961

It does not mean you should trust them to run code on your device, view your DNS requests, etc.

iVerify fabricated a fake Pixel vulnerability in order to promote their company/product alongside Palantir and Trail of Bits. It has been completely debunked by multiple researchers. Many people were previously aware of the app, the conditions for enabling it and had analyzed it.

Multiple privacy and security researchers have previously talked about this set of apps for supporting Verizon's network functionality on Android. We analyzed these apps years ago and have publicly talked about it. We checked CarrierSettings and Showcase again before our thread.

Showcase (com.customermobile.preload.vzw) is Verizon's retail demo app and is completely disabled at a package level with the other Verizon apps on Pixels unless someone has a Verizon SIM. The way they're disabled is comparable to installing and uninstalling the apps on demand.

Showcase additionally requires a privileged OS setting in order to enable it. This setting has more limited access than other settings which are part of the public API. The level of access to enable it would be greater than the access the app has available for itself.

Using iVerify means trusting a Palantir partner with code execution, access to your DNS requests, etc.

Palantir is a surveillance company and is largely based around acquiring access to data mined by other companies. That's reason enough to avoid code from them or their partners.

Here's some background on Palantir:

https://privacyinternational.org/sites/default/files/2021-11/All%20roads%20lead%20to%20Palantir%20with%20Palantir%20response%20v3.pdf

Regardless of whether you share the views of most of the open source and privacy communities on Palantir and their partners, a security company like iVerify promoting products via fraudulent claims isn't trustworthy.

Installing an app from their app store is giving arbitrary code execution within the app sandbox to the app developers. The app sandbox is far weaker than the browser sandbox for a website. It's also easy enough for apps to do arbitrary things based on configuration and many do.

iVerify has been actively marketing to journalists while working with groups many journalists consider among their main adversaries.

Using an app is trusting the developers with arbitrary remote code execution in the app sandbox, which is a lot weaker than the web sandbox.

App sandbox simultaneously prevents iVerify from providing any significant value against a sophisticated attacker while also not being nearly strong enough to put up a serious defense against sophisticated adversaries. The value is oversold and it brings more risk than reward.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 months ago

You're welcome!