Reflects extremely poorly on Apple that several of their employees have been involved in spreading fabricated claims about Pixels. Convincing companies/governments to strictly use Apple products with clearly fraudulent claims about Pixels is scandalous.
https://x.com/GerzerSoftware/status/1825226770079244361
We directly talked about iVerify being a sandboxed app fundamentally incapable of providing significant defenses against sophisticated attackers:
https://x.com/GrapheneOS/status/1824194291591417961
It does not mean you should trust them to run code on your device, view your DNS requests, etc.
iVerify fabricated a fake Pixel vulnerability in order to promote their company/product alongside Palantir and Trail of Bits. It has been completely debunked by multiple researchers. Many people were previously aware of the app, the conditions for enabling it and had analyzed it.
Multiple privacy and security researchers have previously talked about this set of apps for supporting Verizon’s network functionality on Android. We analyzed these apps years ago and have publicly talked about it. We checked CarrierSettings and Showcase again before our thread.
Showcase (com.customermobile.preload.vzw) is Verizon’s retail demo app and is completely disabled at a package level with the other Verizon apps on Pixels unless someone has a Verizon SIM. The way they’re disabled is comparable to installing and uninstalling the apps on demand.
Showcase additionally requires a privileged OS setting in order to enable it. This setting has more limited access than other settings which are part of the public API. The level of access to enable it would be greater than the access the app has available for itself.
Using iVerify means trusting a Palantir partner with code execution, access to your DNS requests, etc.
Palantir is a surveillance company and is largely based around acquiring access to data mined by other companies. That’s reason enough to avoid code from them or their partners.
Here’s some background on Palantir:
Regardless of whether you share the views of most of the open source and privacy communities on Palantir and their partners, a security company like iVerify promoting products via fraudulent claims isn’t trustworthy.
Installing an app from their app store is giving arbitrary code execution within the app sandbox to the app developers. The app sandbox is far weaker than the browser sandbox for a website. It’s also easy enough for apps to do arbitrary things based on configuration and many do.
iVerify has been actively marketing to journalists while working with groups many journalists consider among their main adversaries.
Using an app is trusting the developers with arbitrary remote code execution in the app sandbox, which is a lot weaker than the web sandbox.
App sandbox simultaneously prevents iVerify from providing any significant value against a sophisticated attacker while also not being nearly strong enough to put up a serious defense against sophisticated adversaries. The value is oversold and it brings more risk than reward.
Thank you for de-threading this and making it readable… 🙏
You’re welcome!