More than ten years ago I had a Galaxy Nexus on Verizon, a carrier exclusive in the US. Verizon and Android fans committed to Google’s “pure” Android builds were unhappy roommates, with the phone bogged down by Verizon apps and constantly late on OS updates. I can’t help but be reminded of it when I see a pre-loaded Verizon app deep in the bowels of a Google Pixel phone. That app, Showcase.apk, is finally going away.
The app is a system tool used by Verizon retail employees to give in-store demos, the kind of limited environment that shows off a few of the phone’s abilities and a lot of the carrier’s hyperbolic marketing. Unfortunately it’s also a pretty glaring security hole thanks to its system-level access, and the fact that regular users can’t uninstall it without some serious tinkering.
According to a report from iVerify and Palantir, the Showcase app includes an unsecured backdoor thanks to its ability to install via unsecured HTTP. Theoretically it’s possible for someone to do some serious harm to any Pixel phone with the app pre-loaded, which includes pretty much any Pixel sold by Verizon (or as a Verizon version sold by partners like Best Buy) since 2017.
The good news is that while this app leaves your phone shockingly open to attacks, those attacks would rely on physical access first, and there’s no indication that it’s actually being used as a vector in the wild.
Google has decided it needs to go anyway, in a better-safe-than-sorry approach. A Google spokesperson told Android Auithority that a future Pixel software update will remove the app from “all supported in-market Pixel devices.” So any Pixel phone that’s still getting updates — Pixel 4 and newer, including the new Pixel 9 phones when they go on sale in September.
:focal(1207x489:1209x487)/origin-imgresizer.eurosport.com/2024/11/07/4059788-82333408-2560-1440.jpg?w=150&resize=150,150&ssl=1)
