If you ever use Android phone, you should know Google Android market, the now Google Play has two versions, mobile version and desktop version. Whatever version, you need to register a Gmail account and enter that account on your handset during the setup process or later. Otherwise you would not be able to use any Google service such as Gmail, Google Play, Google Maps, and Latitude etc.
It’s quite easy to install apps from the mobile Google Play, you log in, you search an app, then tap install and it will appear on your handset. However the most unbelievable thing is installing apps from the desktop version. Open Google Play in your browser, search an app, and then click install. Your carrier and phone model will appear after logging into Gmail, and Google Play will check the compatibility. If it’s available to your handset, one further click will prompt your Android device to download and install the app. Just one simply click!
That’s not the whole story. Not only can Google remotely install apps into any Android phone, but the search engine can also remotely remove any app from citizens’ phone. A security researcher called Oberheide actually experienced the whole process. Oberheide developed an app RootStrap to show how easy it is to bootstrap a rootkit onto Android mobile devices. Then he uploaded it to Android market and had a few hundred downloads. Google finally managed to know this by way of a Forbes article. Although the app posed no threat to Android phones, Google asked Oberheide to remove the app from the then Android market and used the remote removal feature to clean up the app from all Android devices installed the app without the owners’ consent.
And that is called kill switch. Google is not alone. Apple has such power over the iOS devices it sells, and Microsoft is said to be introducing this into their Windows operating system as well.
According to Oberheide, Google is able to remotely install and remove apps from Android device with two powerful tools, INSTALL_ASSET and REMOTE_ASSET. Google maintains a persistent TCP/SSL/XMPP connection to all Android phones. Once you click install on any app on Google Play, it will trigger Google’s servers to push an INSTALL_ASSET message down the GTalkService pipe. Then your handset will automatically download and install the app.
There are some misleading information about GTalkService and GTalkService.apk file. It’s easy for people to think of it as Google’s IM GTalk, an app for people to chat online. However it’s not. I came across this thread at the beginning of this year. The OP had a problem with GTalkService kept running on its own even though he’s not signed onto Gtalk and killed this process from time to time. I also saw someone asking for others to send him the GTalkService.apk file as he’s not able to install any apps from Android market. That’s right, GTalkService is used to install apps, not chat with others.
If you are willing to dig a little bit more into the GTalkService thing, and what happens when you click install on Google Play, check this post out. It might be boring, but it provides insightful information.
The remote install and remove apps feature might be the last resort if virus or malware floods the Android phones. Google can use it to remove those apps quickly. However it’s still unknown if Google can use it to uninstall apps downloaded from other app market other than Google Play. Even so, people may feel upset about it. Anyways, we do not want others to have such a powerful control over hour handsets, not even Google especially when it comes to the fact that Google does a terrible job over peoples’ privacy.
Furthermore, Google’s INSTALL-ASSET and REMOVE_ASSET functionality has no encryption about the messages it delivers except for the SSL connection. If GTalkService’s ever comprised, the malicious apps will impact millions of Android mobile devices. It would be a nightmare!!
Update, I would for reference recommend an article from Apple Developer Documentation, which details how an iOS device initiates and maintains a TLS link to Apple APN sserver for pushing notifications. Please note TLS is more secure than SSL.