"Google has the power to not only remove applications from users' Android phones, but remotely install them as well."
Well......fuck that then.
Google has the power to not only remove applications from users' Android phones, but remotely install them as well. Last week, Google told the world it had exercised its Android "Remote Application Removal Feature," reaching out over the airwaves and lifting two applications from citizen handsets, and as pointed out by the man …
Is this really too much to ask?
That's what this is about. Not which Apps you can and can't access, but the apps they install for you. I am an open source user; but Nokia in their wisdom went and installed a small office application that can't read ODF and also can't be removed. Also, a game that I can't remove. Nice of them to waste my precious system memory for me, especially as the X6 doesn't have removable memory.
I was looking at Android tablets and also my next handset was going to be Android as well. I've just started reading on programming Android. Not any more I'm not.
Surely the fact that they can remotely install apps without authorisation has to be a lot more disturbing then their abililty to remove them wihtouth authorisation. Don't forget that this is a company which is proving itself to be highly untrustworthy. A fact that, thankfully, more people are, albeit slowly, waking up to.
A big software vendor introduces something that end users have no control over, it phones home automagically, it can add software or remove software at its own pleasure, and is vulnerable to impersonation or man in the middle attacks.
That's Windows Update, isn't it?
Not saying that what Google are doing isn't evil, but where's the equivalent fuss for the MS equivalent technique?
Just askin', like.
When I buy a computer from an OEM I'm ASKED what I want Windows Updates to do. I can disable it completely with one click - it's one of the first things you are asked when you "setup" Windows as a new user.
So I'm told about, can chose to enabled or disable it or I can be selective and say tell me, but I'll manually review the updates and install the ones I want at my leisure.
That is NOT what Google are doing. This has been 'discovered' by a researcher that they can install stuff remotely, you can't disable it as far as I know and it's completely out of your control.
Windows Update doesn't default to automatically updating your box, you have to explicitly agree to it (though yes it does twist your arm a bit about it), so at least you're aware of what will happen.
If there's an issue with WU it's how they're forever pushing guff at you like Silverlight et al...
IMO the Apple Updater is worse... I have Safari on my machine for browser compat testing because apparently some folks use it on Windows and it doesn't always behave the same as it does on the Mac.... but once every couple of weeks I get an agressive little pop-up trying to get me to install iTunes, Quicktime etc as well ... and if I want to keep the Safari auto-updater I don't seem to have a way to kill these "helpful reminders"
At least with Windows/Microsoft Update there's a very simple option to leave it enabled but select and hide apps I don't want updated
When thinking about issues like this it is always best to remember that Google's "do no evil" mantra only holds for certain values of "evil". Those values being the ones that Google have defined. If your definition of evil differs from that of Google then you probably shouldn't own a device over which Google has so much control.
I don't care what the excuse is - nobody installs or removes anything on anything I have without my express permission.
I have no need to be nannied. If I install some objectionable material on my hardware, it is my responsibility. If I goof and install something harmful to my hardware or my privacy, well too bad for me and I've learned something new. I will certainly not accept anyone deciding for me what needs to be removed. Of course, the consequence is that nobody will remove for me a trojan app that I, as well as others, installed because of some advertised function that I found useful. The normal way to do things in that case is that I get a mail or some sort of notification telling me what the issue is with that app and how to deal with it. I will decide what to do with it.
On the other hand, there is simply no excuse for remote unauthorized install. That is just about as Big Brother and disrespectful of my rights as it gets.
But of course, I'm harping about a long-lost notion : the consumer has rights. Seems that that is sooo last century.
I have an Android phone - love it, best mobile device I've ever had by a long way, but it's association with Google leaves a bitter taste in the mouth that just seems to be getting worse and worse.
Aside from the meaningless "do no evil" mantra that Google spouts they do say something very meaningful about Android: that it is Open Source (eventually at least). Part of that meaning to me is that the development and functionality of the OS is accountable to the user/developer community.
Thus as I have a handset made by Motorola running an Open Source OS connecting to Orange's mobile network. What part of that package allows Google to determine what software I will or will not run on my device that I have paid for?
Jon Oberheide is right to point out the pontential security issues with this but at least as important is the question of Google overstepping the mark again in seeking to snoop/control on-line activity. I'm no fan of M$ and Apple but at least they don't try to use Open Source as a fig leaf for their monopolistic activities.
This is a major conflict of interest, think of the espionage possibilities.
It wouldn't be bad if google's remote update mechanism 1) was optional, and 2) explicitly prompted the user, however that is was hidden shows just how untrustworthy google is.
This is no different from what apple do, but then apple don't operating under the pretense of selling open devices, people (should) know that apple controls their device.
"But of course, I'm harping about a long-lost notion : the consumer has rights. Seems that that is sooo last century."
The PC era was so fantastic for consumers because of open platforms which spurred innovation and competition. I worry very much that the future of computing could be closed and proprietary, and only a few corporations holding the keys to all apps and data.
"How deep in the T&C the remove and install 'features' are buried?"
Someone else can hunt down the terms for Android use in general, including application installation and update. But I rather doubt you'll find Google's lawyers have slipped up in this regard. In particular for the scenario that's been highlighted, which would rely on a hacker exploiting an unpatched vulnerability.
Every App you have installed on an Android phone from the Market is remotely installed - that is how it works. You select an app and the channel opens up with a command to your phone to install it. It then gives you the permissions the app requires and then you can choose to go ahead with the installation.
The Froyo build goes even further - you can just select an app on the Marketplace website and it will get installed on your phone using similar technology. This was one of the big wow factors at Google IO and helps you work with your PC or Phone but through (cough) "The Cloud", rather than have to connect your phone to your PC itself.
If you don't want your phone to do this, or have any links to Google, then don't put a gmail address in when you first install the phone.
This post has been deleted by its author
You say wrong; given that possession offences are strict liability offences, suppose a phone were to have illegal content of whatever form downloaded to it or an app to acquire such content? What about an eavesdropping application that Google have agreed to provide to, for instance, a government in whose jurisdiction you live? Their definition of evil has proven sufficiently malleable to allow such adaptation to local concerns before now.
Covertly installing applications without the user's permission on their phones? Well I'm sure that won't interest the security services at all. I'm sure there absolutely definitely won't be a flood of sealed court orders winging their way to Google HQ, identifying certain phones of interest, will there...
In today's world, hackers and system attacks are inevitable. It would be irresponsible to not have a method to deal with them. Google's chosen method is this removal tool – and a corresponding tool that can patch the systems remotely or install other critical components. This method was effective, and demonstrates that Google can eliminate threats.
Keep in mind, this was a threat. It wasn't a case where someone wrote an app that competed with a Google app, and it was removed to limit competition (ala iPhone). This was a hacker who used social engineering tricks (standard hacker MO) to install a root kit on users phones. The app represented a danger to the consumers, and rightfully should have been removed.
Frankly, I am sick of these “white hat” hackers doing evil things just to prove how easy it is to do evil things. The excuse that it was for “good” or “demonstration” purposes does not excuse it in my mind. Imagine using that defense in a murder trial: “Your Honor, I only shot her in the face to show how easy it is to shoot a person in the face! You should thank me for revealing that vulnerability.”
That's all well and good, but at the very least google's control over the phone should be authorized by the user.
Any updates should prompt the user each time unless the user has a configured a preference to auto install google updates.
The way it's been described implies that google have remote access without any user authorization. Why should google or any other manufacturer keep a back door on my computing device holding my data and apps?
...check out Babbage, Lovelace, Whitehead & Russell, Gödel, Turing...and a host of other non-American mathematicians, scientists and engineers who were laying the foundations of computing while IBM were still making typewriters.
And you didn't capture the bloody Enigma Machine either! Even Wikipedia is slightly more accurate than the Yank/Hollywood version of history.
Oh dear Lord! You're down voting because of my handle? I am well aware that the foundations for computers were laid by many, and not just in the US. But IT? Well, when computers started being built for business instead of government, they were built in the US – therefore, the first mainstream IT jobs were here too.
Meanwhile, I don't really see why my post got so many downvotes. Was it my name? England loosing to Germany (hey, we lost too)? Or perhaps I offended the Apple people or “white hat” hackers.
At least Mr. Gosselin voiced a valid complaint. His response expressed anger that Google fixed the problem without asking the customers. I understand this POV, but I still sympathize with Google. Look at Microsoft and IE 6. They've done everything they can to tell people to stop using it, and to upgrade to a new browser – and still people continue to use it. If we apply the analogy of immunizations, these “hold outs” prevent the group from achieving herd immunity. By their vulnerability, they become a vector for attacks and endanger the larger community. Google has a solution that doesn't require effort on behalf of the (often lazy or uninformed) end user. They can close an attack vector when they find it.
I'm not sure there is a “perfect” solution that will please everyone – but, to me, this isn't a bad solution. Now, if they start deleting things to stifle competition, or to respond to some take down notice (ala “1984” on the Kindle) then I would have a serious problem. But removing a root-kit from people who fell for a hacker's social engineering attack (“twilight” indeed) – well, I find it hard to be outraged.
I'm thinking it was more for your ridiculous analogy of shooting someone in the face which destroyed whatever point you were making leading to the 'down-voting (like it even matters).
Of course, the presumption that your choice of username was the reason for down-voting (along with said username to be honest) betrays all confidence in you having anything useful to contribute to the debate.
On topic - The ability to remotely control a device which I own it without my approval is out of order. I do recognise the usefulness of the service though for the reasons touted in discussion. It should really be an optional service though - I would be happy to suggest to some users, (especially those who watch Twilight :p) that their phone is managed for them, but feel I could be trusted myself to manage a phone, and deal with the consequences if I don't.
I would have thought that at the Reg, where we routinely discuss renegade pay toilets as evidence of the ROTM, that you would recognize snarky humor when you read it. Still, despite your distaste for the analogy, I stand by the sentiment – I don't appreciate people doing evil things to show how easy it is to do evil things.
As for “the presumption that your choice of username was the reason for down-voting” - did you read the post I was responding too? It was solely him expressing his distaste for my choice of username. Perhaps I am mistaken – perhaps he just took the time to respond without down-voting – but I doubt it.
Now, on to the topic – I believe that you don't need your hand held. In fact, I am positive that this incident affected no one reading this site – because we all are competent enough to manage our own devices.
But the fact remains, there are plenty of people who aren't. And when their devices become compromised, it can affect the network – which we don't own. I don't blame Google (or even Apple, for that matter) for policing and removing maleware when it's found. Ultimately, the success or failure of their product will hinge on how well it works. If their network's performance is being hurt because of the proliferation and complacency towards maleware, then it hurts their product (and all of the other users of that product). To me, the ability to remote remove/install apps to devices isn't inherently bad. It's how that tool is used. So far, it's been used to clean up a root kit that affected (gullible) users. I have no problem with that. If it starts getting used in less justifiable ways, then I will most definitely have a problem with it.
The reason why we're downvoting you is becauase we think your an idiot.
Today Google uninstalls a proof of concept rootkit attack. Tomorrow they're removing content because some overzelous lawyer files a lawsuit, or installs monitoring software because a certain government tells them too... But apparently this isnt something to worry about?
That, and you're revisionist version of history.
This post has been deleted by a moderator
The controversy isn't around whether third parties can break the SSL or impersonate google, it's that google themselves have a hidden channel to push instructions to the device. This is very different from a marketplace channel which merely pulls apps down when requested.
This post has been deleted by a moderator
"No, you're completely wrong and this is my point, there's no evidence they have a hidden channel"
Look at the PDF links in the article.
I'm looking at a PDF which shows the byte codes used in the channel encoded using XMPP.
I cannot vouch that the evidence is accurate or anything like that, but if he's not lying, then it looks like he does have the evidence.
"• When you click install in market app
– Google servers push an out-of-band message
down to you via persistent data connection
– Triggers INSTALL_ASSET intent to start install
– Intent handler fetches APK and installs"
So the apps are not pulled down by the device, they're pushed up to the device using an out of band installation channel by google. Why does google need to be able to push apps to the device as opposed to letting users pull them down? Technically both mechanisms will work to install apps, but the push mechanism allows google to add/remove apps at will. I suspect the main reason google choose to push apps to the phone has more to do with having an always open channel to users that allows google to track them much more closely.
Even then, it is very sleazy of google not to prompt the user before modifying the local applications.
If Google has the ability to remotely install software, then it is only a matter of time before certain governments will require them to install software to "help with investigations". What Google has done is expanded "wiretap" capability in these phones. Be worried. Very worried.
>If Google has the ability to remotely install software, then it is only a matter of time before certain governments will require them to install software to "help with investigations".
If you're a suitably suspicious character in the UK they can intercept all your calls - follow your movements live and retrospectively for several months etc anyway via the telcos - whatever handset you use and from the dawn of the analogue cellphone days. No software install is required.
Doesn't worry me at all, it is afterall what the intelligence services get paid to do. Would be far scarier if they couldn't.
This hidden control channel in android's marketplace app is disappointing...
Of course any software with an auto-update function has potential to take over, but at least the knowledgeable owner should be aware of them, and can disable them.
Hopefully google realizes that this is evil, and makes these "auto updates" configurable by the end user.
I don't want google controlling my device any more than I want apple controlling it.
If Google is installing an application on a phone, obviously it's transferring data. The same applies, to a lesser degree, if it's sending a removal command.
Recent Reg articles have reported how Vodafone et al are jacking up the prices and screwing down the limits for data transfer. Roaming data prices are particularly steep.
Even if the actual cost is small, it looks to me like Google is stealing bandwidth when it does this.
Don't forget, Google are an advert company.
They will probably push an app to your 'phone that monitors the 'phone numbers you call, their duration, and their cost.
Then they cross reference the telephone against their own search engine to find out who you are calling, then push you a 'personalised' advert 'experience', made just for you.
"Google has noticed you are calling a lot of Escort services. Would you like a list of Escort Services in your current location (which we know, by the way)?"
< YES > < NO > < LATER >
"Google has noticed you are calling a lot of Escort services. Google has sent your number to GoogleBirds, our licenced Google Affiliate, who will call you back, absolutely free. No need to thank us! Google: Do No Evil!"
< OK >
Is there 1 single Android Market? Wasn't there talk of how there could be multiple markets, perhaps hosted by carriers or hardware manufacturers?
I've not developed for Android (yet), so I wonder: can you load your freshly developed app locally, or do you have to submit it to google in order to deploy it?
What I'm getting at: I can imagine how a kill switch works, if there is one global set of unique identifiers for apps (one Android Market scenario). But what if there are multiple markets? Who handles the app IDs? What about apps that I might develop myself, but don't intend to publish to the Android Market? Do they get IDs?
I was planning on using Android phones for robotics, but I would want to be sure no google can remove my apps when it feels like it.
There is only one 'market'. The apps have a manifest that details the requirements so that you only see supported apps from your device.
However, there are numerous places where you can download APKs and install them yourself.
APK Installer on the marketplace will install APKs from your SD card. Or you can frig it via the SDK if you don't want to go near the market.
Google are having a good quarter.
First, collecting wifi payload data for some obscure reason.
Second, withdrawing an app from people's phones. Did they miss the Amazon case last year or something? People do not like companies coming back onto their paid for devices, and removing stuff. It's a bit like the Tesco breaking into your house and removing something you bought from them.
I've had a Blackberry & and Android phone and have many friends with IPhones. All of these devices have remote install and remove capabilities, the network carriers would not allow them on their networks if they didn't.
What people fail to realize is that it may be their device, but it isn't their network, and the terms of service for the network clearly state that the vendors have the right to do this. This makes total sense in the ways of protecting the mobile networks from the kind of crap we have to deal with on the PC side, where network anarchy is the rule of thumb.
If you don't want remote install or remove then don't connect your phone to a network!
By your argument, whenever I connect my laptop to the Internet, Virgin reserve the right to install spyware on my machine. As do any intermediate networks my packets may happen to travel through. Oh, and if I connect to a free wifi point somewhere, the owners of that AP reserve the right to run SSLstrip and snaffle my usernames and passwords.
I really don't give a damn who's network MY device is connected to. It's my device. Period.
And how are you supposed to use a phone, without connecting to a network? Isn't that the point of a phone?
Ahwell. Increasingly glad I never bothered with the whole smartphone craze. I may end up developing for them at some stage, but I'll be damned if I ever use one as more than a test platform. Google, you'd better change this, quick. Openness and "freedom" is the only differentiator between you and Apple at the moment. Secret remote installation of software is the sort of thing I'd expect a virus to get up to. Really, what the hell were the people who thought this up smoking?
but I am seriously NOT happy about this particular "feature." On a completely unrelated note (sure), does anyone know of a good, configurable, LOGGING firewall app for Android? I've only been able find so-called "firewalls" that block unwanted phonecalls or messages. No luck so far in finding an IP firewall.
It's only a matter of time before all devices have this type of feature unless we find a way to legislate against it.
Apple showed the way. Android copied it and it's inevitable that MSFT etc will go that way too.
I find this really worrying. the fact that Android is basically opensource makes it worse in many ways. It just shows that it 's not just the pedigree of OS that's important, it's the way it's built and the way it's built into the hardware and of course the network it operates over.
This is going to become an increasing problem I fear
While I don't like the idea of remote install, remote kill does make some sense given how free the market is - in this instance they used it to remove an app that was misrepresenting itself, which makes a certain kind of sense.
Yes, it could be open to abuse.
Remote install seems odd - why do they need this ability for any good reason?
On the "plus" side, it appears to be part of Market not the OS, so you could remove the market and be "safe" from this. It's not like you can't find and install apps (legally) outside of the market.
This is the sort of publicity Google should face and explain, possibly admitting they were wrong to reserve this kind of power and reverse it. Where Google tend to do themselves harm is that they just stay quiet from here on and make people nervous that they're happy to accumulate this power without reason.
I'm a happy Android user, and I don't think this is going to dissaude my from continuing with Android... but I'll be keeping an eye on it.
"On the "plus" side, it appears to be part of Market not the OS, so you could remove the market and be "safe" from this. It's not like you can't find and install apps (legally) outside of the market."
Yep, just uninstall the Google Market if you don't like it. Try that on the other devices. :)
As for other Markets, I haven't seen any apps, but you can just download the apks for anything. I assume someone that wanted to develop a market would have to write a market app for the phone. I'd think Google would helpfully sell you a copy of theirs though.
(Of course, there's probably another back door hiding in the system itself...)
I work for a large company that handles sensitive stock market data and, as such, is bound by laws such as SOX that require the integrity of processes and audit. How could we depoly any Android device (or iPhone/pad) when we are aware that a third party has the ability to modify its software/contents without our knowledge? I can't see any way we could certify it as compliant when that might be changed at any time.
We are a major Blackberry user. If I understand correctly our BES is administered by our company and not by our carrier so we get to say what content gets put onto them. I'm not saying there is no back door RIM could use to insert content but I've seen no evidence of one.
I suspect that those of you defending Google would defend Google whaterver they did simple because you believe in their "don't be evil" marketing crap.
So long as you believe that Google would never abuse this facility in order to push out or remove applications for good reasons then that's fine. But where do you get the idea that just because somebody says they're not a bad guy that means they must be a good guy? I don't suppose Adolf Hitler went around telling everybody he was evil did he? Nope, he thought he was a good guy. Extreme example, but you get my point.
Google gobbling up your wifi data? I seem to remember they told us they hadn't done that right up until the point where they admitted they had. If you can't trust them on that how come you can trust them on the remote install/remove issue?
People on here seem to thing that MS are the most evil thing since the Nazi party, but even they don't have the power to install or remove software without users knowing about it.
Some of us saw Google's true colours years ago, but if you still haven't woken up and spotted them then you probably deserve to be screwed by them. Twice.
>>People on here seem to thing that MS are the most evil thing since the Nazi party, but even they don't have the power to install or remove software without users knowing about it.<<
So far as we know... although given the way Geniune Advantage and WAT behaves, I don't really agree.
All you people going on about Google and Microsoft. We should never forget the real enemy - Apple! Simply replace Google for the Romans and Apple for the Judean People's Front and it all makes sense (the Popular Front is of course Palm).
Reg: “ The only people we hate more than the Romans are the f**king Judean People’s Front.”
Stan: “Yeah, the Judean People’s Front.”
Reg: “Yeah. Splitters.”
Stan: “And the Popular Front of Judea.”
Reg: “Yeah. Splitters.”
Stan: “And the People’s Front of Judea.”
Reg: “Yea... what?”
Stan: “The People’s Front of Judea. Splitters.”
Reg: “We're the People’s Front of Judea!”
Stan: “Oh. I thought we were the Popular Front.”
Reg: “People’s Front!”
Francis: “Whatever happened to the Popular Front, Reg?”
Reg: “He’s over there.” [points to a lone man]
Reg, Stan, Francis, Judith: “SPLITTER!”
Biting the hand that feeds IT © 1998–2020