Hello,

A bit of context first.

I have changed my mobile subscription to include more data and storage space on the cloud.

Once the subscription was updated, I've logged into the online customer self-care to setup my cloud access.

As you would expect you have a desktop application (that I had to install) and a mobile application.

Here comes the strange part... For the mobile application it said:

"Click here to install on your device".

I laughed and thought: that surely cannot work! I mean how can they know what device do I have, what OS and what my Google Play/Market password is.

But I clicked, just to see what happens. I got a message that the application will be installed shortly. Hm...

I picked up my Android phone and sure enough it started to download and then install the application without any kind of confirmation from my part on the device itself..

Now I'm worried! I think to myself: "I must have confirmed this somehow...". So I do it all over again, and again, w/o any kind of input from me, the Android device has downloaded and installed that application.

As you can imagine that is a huge problem!!

Yes, I had to login into my self-care account, but what happened here just goes to show that a network operator can push apps into your mobile, and unless you're looking at it non-stop you may miss it! And if the network operator can do this, then anyone with the required skill level and motivation can do it. In theory, any pissed off employee from a network operator can push an app into the clients mobile phone to cause harm or steal data. (Or any agent that can infiltrate the operator's network).

How this works is beyond my knowledge... I've tried to Google it, but with no useful results.

Has anyone had a similar experience where some service (like your network operator) can push an application install into you device without your explicit confirmation on the physical device?

At this point I may be carrying a live spying device into my pocket and be none the wiser.

PS: I later found out that the network operator knows exactly what device you have and what operating system. That's still a privacy problem, but let's say I can accept it. But to install an application into my phone w/o my explicit confirmation on the physical device is still NOT OK.

PS2: Google Play (the Google Apps Market) allows you to install applications from the web into your device. But they require you to login into your Google account and so they have the proper credentials to do this. The network operator however, does not have (to my knowledge) my Google login and password.

Mystery solved

Turns out that I was logged into my email to read it. That was enough for the network provider to hook into my Android Application Store and install their application.

While I still would have liked to see a confirmation on the device at least it makes sense now.

This is very similar to how if you are logged into Facebook, it appears as if every website on the web knows your name :)

I'm sure it happened to a lot of Facebook users to see their face and name in the comments box on some random site....

Hello,

[..]

Has anyone had a similar experience where some service (like your network operator) can push an application install into you device without your explicit confirmation on the physical device?

At this point I may be carrying a live spying device into my pocket and be none the wiser.

PS: I later found out that the network operator knows exactly what device you have and what operating system. That's still a privacy problem, but let's say I can accept it. But to install an application into my phone w/o my explicit confirmation on the physical device is still NOT OK.

PS2: Google Play (the Google Apps Market) allows you to install applications from the web into your device. But they require you to login into your Google account and so they have the proper credentials to do this. The network operator however, does not have (to my knowledge) my Google login and password.

I had this happen with iPad from Apple last month, a forced PUSH without allowing me to say yes download first. A similar type of forced push was attempted on the iPhone, which I managed to disconnect the server connection and stop the push.

Apple's server pushed the "update" without my permission, with ALL settings in the Setup-Configuration set to OFF (DO NOT DOWNLOAD).. Instead the server forced a download, when it chose (or was instructed to by something or someone) putting up a message saying, "install it now?" on the iPad.

I was instructed by the engineering staff, at that point while I was on the phone with them, to click OK INSTALL - (what if I didn't want the forced update?) and it installed it basic couple hundred meg first level "patch", and the iPad went back to the internet for more "customization" based on my stored user profile at Apple. Finally after a half hour of dealing with engineering the forced "push" was dealt with - (and the new version of course is still buggy).

Having complained to Tech support and speaking with engineers at Apple and submitted a detailed "bug report" - the response was in the end, "NEWS TO US, the server is NOT SUPPOSED to do that, not to download if you say NO, don't do it.."

Since it is a SERVER they are saying that made the "mistake" of doing a forced PUSH, I just wonder if that's part of the open SSL "bug".

Hello,

[..]

Has anyone had a similar experience where some service (like your network operator) can push an application install into you device without your explicit confirmation on the physical device?

At this point I may be carrying a live spying device into my pocket and be none the wiser.

PS: I later found out that the network operator knows exactly what device you have and what operating system. That's still a privacy problem, but let's say I can accept it. But to install an application into my phone w/o my explicit confirmation on the physical device is still NOT OK.

PS2: Google Play (the Google Apps Market) allows you to install applications from the web into your device. But they require you to login into your Google account and so they have the proper credentials to do this. The network operator however, does not have (to my knowledge) my Google login and password.

I had this happen with iPad from Apple last month, a forced PUSH without allowing me to say yes download first. A similar type of forced push was attempted on the iPhone, which I managed to disconnect the server connection and stop the push.

Apple's server pushed the "update" without my permission, with ALL settings in the Setup-Configuration set to OFF (DO NOT DOWNLOAD).. Instead the server forced a download, when it chose (or was instructed to by something or someone) putting up a message saying, "install it now?" on the iPad.

I was instructed by the engineering staff, at that point while I was on the phone with them, to click OK INSTALL - (what if I didn't want the forced update?) and it installed it basic couple hundred meg first level "patch", and the iPad went back to the internet for more "customization" based on my stored user profile at Apple. Finally after a half hour of dealing with engineering the forced "push" was dealt with - (and the new version of course is still buggy).

Having complained to Tech support and speaking with engineers at Apple and submitted a detailed "bug report" - the response was in the end, "NEWS TO US, the server is NOT SUPPOSED to do that, not to download if you say NO, don't do it.."

Since it is a SERVER they are saying that made the "mistake" of doing a forced PUSH, I just wonder if that's part of the open SSL "bug".

Hi Bobd,

This is a kind of auto-update mechanism. It is not really new, but one should be able to opt out of it and the software should honor your request.

If that does not happen then that's a problem. What I end up doing is disconnecting the device from the net altogether. (This is not always easily done and no one guarantees that the device will not attempt connection despite your settings).

I have friends with disconnected devices that still had to pay for "data transfers" recorded by their network operators :).

This is not part of the SSL bug (at least not directly related).

- Ilie

Hey!!! THANKS!!! For the heads up. I've been thinking about a new mobile device, and will now know the kinds of things to expect. Hats off to you guys for payin attention.

Hi Ilie,

Not one to ever had a mobile, except for work, and a severe inability to differentiate between all the new modern gadgets, even a lame person like myself has learned recently that the new iPhone nowdays is opened by a fingerprint reader (http://www.youtube.com/watch?v=TJkmc8-eyvE) (There is still the option to choose between several ways) and with what you yourself are observing, I think the direction of where they want to take it is pretty clear.