Tldr for dummies?
#GrapheneOS has gone through each of the carrier apps included on each Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for the late ProtonAOSP and GrapheneOS in 2021:
GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.
Here's a thread from 2017 posted from our project's previous Twitter account which was stolen by Copperhead in 2018:
https://x.com/CopperheadOS/status/903362108053704704
Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.
Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.
Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.
It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.
Discussion
A company that sells a security theater product that misleads people about detecting sophisticated remote attacks made a misrepresented claim that an unused, disabled app meant to run on Pixels for display in stores is an exploitable component. Mainstream media went with it without doing prior research.
Pixels cannot enable this app without physical access with ADB which requires the user's password, or a sophisticated remote execution exploit that would be more dangerous than the security implications they are trying to imply are.
GrapheneOS does not bundle this app and we were aware of it for years (2017 or earlier) so it's irrelevant to GrapheneOS users. It's scaremongering for marketing for a product that they can't even possibly do what they claim.
Understand thanks! Glad Im running G on my Pix and I appreciate the work yall do