Comments

  • archchan
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    What about Google Play Services? A pre-installed Swiss army knife of a system app with proprietary code and apps relying on it as a dependency seems to check the box.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      3 months ago

      That might be possible. I’m not an expert in the wide ranging permissions that preinstalled system apps can access. It would require Google complicity. We haven’t seen this behavior in various sandbox versions of Google play running on custom ROMs, nor hasn’t been seen in any teardowns, but it cannot be completely ruled out.

      I feel like there are better places to hide such malicious code. For example, down in the hardware abstraction layer, or another proprietary demons that aren’t part of AOSP. At the end of the day, you need to have some trust in the company that develops your OS.