Counter Measure: Disable GTalkService

[E3V3A]

It's been known for a long time that Google has the power to pull or push any app to/from your phone, using the GTalkService: INSTALL_ASSET or REMOVE_ASSET. Thus we would like to disable this dangerous functionality, or at least detect it, when app is in a non-green detection/status mode. In addition, turning off GTalkService will also improve your battery life somewhat. Fortunately (!) this will also block the use of Google Play and updates. We need to:

• Collect more info on which exact service need to be disabled
• Find out if the above event can be easily detected and/or blocked, even if all services are running.

---

References:
https://jon.oberheide.org/blog/2010/06/28/a-peek-inside-the-gtalkservice-connection/
http://forum.xda-developers.com/showthread.php?t=2357417&page=119
http://forum.xda-developers.com/xperia-u/issues/app-disable-service-t2455525

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[SecUpwN]

@E3V3A, thanks for adding this. Since I run a CustomROM, I guess I don't have GTalkService since I did not flash a GAPPS-package. How can I verify that no services like GTalkService are running?

[E3V3A]

So how do you install apps on that? If you can use Google Play, then it's probably running...

[SecUpwN]

I enjoy using Aptoide and F-Droid. The least thing I'd ever install on my phone, is GAPPS. That is a perfect bundle of spyware, folks. I am happy having freed my phone.

[andr3jx]

Use this to disable services:
https://play.google.com/store/apps/details?id=cn.wq.disableservice&hl=en
But I don't think if this approach is really so good. If people use Google's services they can't expect that Google will ask them for anything. As far as I know Google used this feature to remove a malware-app on all phones after it was installed.

[E3V3A]

@andr3jx I don't see how that has anything to do with this issue? (You're suggesting to download an outdated service app from GP to disable gtalkservice?) We can obviously do this much easier from command line.

[andr3jx]

I don't see how this issue is related to detecting IMSI-Catchers. I'm against implementing it. If someone wants to disable some google services he can use the mentioned app.

[SecUpwN]

@andr3jx and @E3V3A, would you please stop fighting like two little kids here? In my eyes, disabling GTalkService is not on our current priority list, yet I do consider proposed feature important to be added at some point. Why? If Google can obviously boldly ignore Issue 5353 since 2009, then I have to suppose they are working together with agencies that do not want people to be warned about such things like unencrypted communication channels, Silent SMS or other possible attacks. And that leads me to the assumption that our App could get uninstalled through them without the user of our App knowing. Maybe @mar-v-in from the NOGAPPS Project can help us conveniently disabling this service?

[E3V3A]

Ok, let me clarify how this is related to this AIMSICD. The Google INSTALL_ASSET or REMOVE_ASSET can be used to install or remove anything (by anyone), including our app and replacing it with spyware, if someone wanted to. Now I'm not saying this is trivial to do, which it isn't, but the fact that it can be done, is bad enough, especially when your name is Google. So this is an extremely dangerous function, that we really think the user should be in charge of.

Thus, the proposal is to implement this as a detection mechanism in settings, and let the user decide whether or not this can be disabled. So there is nothing really to argue about here. In addition, this is one of the very few easy to implement detections of when your device is being remotely manipulated. That is the skull icon. "Hit emergency wipe, drop and run!"

[SecUpwN]

@E3V3A, thank you for this clarification. Everyone should now see the additional importance to implement this feature. And thanks for your comment, @andr3jx! I have just contacted the developer of the App and hope he might shed some light on how to fully disable GTalkService.

[E3V3A]

XPrivacy might be another choice to look into...

[SecUpwN]

XPrivacy might be another choice to look into...

Maybe @M66B can give us a hint on an easy solution?

[E3V3A]

Here are two more articles on the Andoid remote "Kill Switch" law in California and how EFF is trying to prevent this craziness. here and here
Note: it's quite possible that kill switch is different from that of Google in OP.

[E3V3A]

Kill switch is made by Google.

Google released Android 5.0 Lollipop Wednesday, and for the first time, it lets users to enable a “kill switch” on their phones. The feature, dubbed “factory reset protection,” requires a Google ID and password before a phone can be reset, and only works when a phone passcode is enabled.