> In terms of the origins of the app, Google told me “this is not an Android platform nor Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user's password.”

If an attacker has your phone and your password, it's game over anyway, who cares if some random app could allow MITM connections over HTTP.

> Google assured me it is taking action, telling me that “out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices.” And while iVerify’s report focused on Pixel, Google also said it is “notifying other Android OEMs.”

Just as I saw this HN thread and started reading the article, I also noticed on my Pixel 8 phone had an Android 14 update (the "August 5th, 2024" update) which included this security patch: https://source.android.com/docs/security/bulletin/pixel/2024...

It includes 1 CVE patch for Pixel: CVE-2024-32927, which has a "high" severity and is an "Elevation of privilege" type. Android Bug ID: 312268456*.

When you look up the CVE is has no details, and the asterisk next to the Android Bug ID means that it's not publicly available[1]. This article just posted today but I wonder when the research and interviews for the article happened. Maybe the August patch includes the fix, or maybe it'll be the next one.

1. https://issuetracker.google.com/issues/312268456 - this is the android bug link, you can see in the network you get a 403 from one of the api calls, but for other bugs you don't

This appears to be a huge nothingburger.

1. The app is installed by Verizon

2. The app is disabled by default ("The app is not enabled by default, but there might be multiple methods to enable it. The iVerify research team investigated one method requiring physical access")

The actual report:

https://iverify.io/blog/iverify-discovers-android-vulnerabil...

Their quote:

> Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely.

That doesn't sound like the case at all!

TLDR: Verizon store demo app with a variety of system privileges was downloading payloads over http and was not performing any authentication on what it received.

Not Google’s fault (beyond trusting carriers to not be incompetent :D)

…and said shonky Verizon in-store-demo app came preinstalled on all Pixel phones until Pixel Series 9.

Raising the delightful question of why carriers could install software on phones.