14 DAY TRIAL // While people are debating whether or not it is right for Google to have the power of removing applications from Android phones remotely, a security researcher points out that the company can also install them in the same manner. In theory, the feature can have security implications if an attacker manages to pull off a Man-in-the-Middle (MitM) attack.
Last week, news broke out that Google exercised its ability to remotely wipe out applications from smartphones running Android. This feature is clearly stipulated in the Android Market Terms of Service (see paragraph 2.4) and the company reserves the right to use it without notice.
However, since in practice, most users never read license agreements, terms of service and other such documents, a lot of people were surprised to find out that Google has this power. In the true spirit of the blogosphere, an entire debate over the ethical and privacy aspects ensued.
In response to these concerns, security researcher Jon Oberheide points out on his blog that Google is also capable of remotely installing applications onto Android devices. "If some people are upset that Google retains the ability to kill applications remotely (I personally prefer the potential security gains of the functionality), I fear what they’d think of the INSTALL_ASSET feature," he writes.
The INSTALL_ASSET is a message that Google's GTalk servers can send to Android's GtalkService and is the reverse of the REMOVE_ASSET intent used by the company to remove apps. The researcher explains that Android devices communicate with Google's servers via the GTalkService pretty much all the time.
And unlike REMOVE_ASSET, which Google only makes use of under certain conditions - clearly explained in a blog post by Rich Cannings, the Android security lead - the INSTALL_ASSET command is actively used as part of the normal application installation process. Every time the "Install" button is clicked, Google's servers send an INSTALL_ASSET intent forcing the device to download and install the APK package.
Oberheide notes that in theory this feature could be abused if an attacker manages to compromise the connection established between the device and Google's servers and execute what is known as a Man-in-the-Middle attack. "If an attacker is able to MITM this SSL GTalkService connection for a particular device, it may be possible to spoof these INSTALL_ASSET messages to deliver a malicious application payload. If Google’s GTalkService servers were compromised, the malicious impact would obviously be a bit more widespread," the researcher concludes.
You can follow the editor on Twitter @lconstantin