There's absolutely nothing about this that's a horrible flaw and it's not exploitable for any real attack.
Google does include carrier apps which get activated based on the active SIM and add significant attack surface but this isn't one of those. It's always disabled and doesn't get automatically enabled like that. Google has previously given carriers a ridiculous amount of access on some of their devices but this isn't an example of that. It's a disabled demo component.
GrapheneOS /
npub1kw…se0nj
2024-08-15 21:40:12
in reply to nevent1q…regk
Author Public Key
npub1kwarc5z9lwhen05uknd2nuwhhthd4ws0cku3t9j3rchm0fcd6luslse0njPublished at
2024-08-15 21:40:12Event JSON
{
"id": "8b829a5813d9f8d373d3d5ad5ba28ceefdbf2ea80ada5687d9bf767f067bc093",
"pubkey": "b3ba3c5045fbaf99be9cb4daa9f1d7baeedaba0fc5b91596511e2fb7a70dd7f9",
"created_at": 1723758012,
"kind": 1,
"tags": [
[
"e",
"ae3e9c58bbe6ac8d9914379ee4c7c035bf17a74d7fae5c744977ca59617a84bc",
"",
"reply",
"b3ba3c5045fbaf99be9cb4daa9f1d7baeedaba0fc5b91596511e2fb7a70dd7f9"
],
[
"p",
"b3ba3c5045fbaf99be9cb4daa9f1d7baeedaba0fc5b91596511e2fb7a70dd7f9"
],
[
"proxy",
"https://grapheneos.social/@GrapheneOS/112968205135054762",
"web"
],
[
"e",
"ccf1ea29d6453f8578b16ce2c3d30cda8b71ab32c0843b5fc1db55a97b36b0ee",
"",
"root",
"1915bc3488de389cecb12727ac019f3834ec901d38924e374483edc20fc1ef73"
],
[
"p",
"1915bc3488de389cecb12727ac019f3834ec901d38924e374483edc20fc1ef73"
],
[
"proxy",
"https://grapheneos.social/users/GrapheneOS/statuses/112968205135054762",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://grapheneos.social/users/GrapheneOS/statuses/112968205135054762",
"pink.momostr"
],
[
"-"
]
],
"content": "There's absolutely nothing about this that's a horrible flaw and it's not exploitable for any real attack.\n\nGoogle does include carrier apps which get activated based on the active SIM and add significant attack surface but this isn't one of those. It's always disabled and doesn't get automatically enabled like that. Google has previously given carriers a ridiculous amount of access on some of their devices but this isn't an example of that. It's a disabled demo component.",
"sig": "d2dda5fb1e718e246bf8648c7a54d27f1254346aadf9862e47bc7ca2364e063e69a5cd4760e722f7e34166877baeada015f7b9add60d2300cb2382380eb5fe63"
}