There was a minor flap yesterday when it came out that Google had used their remote kill ability to delete apps from a few users’ phones. I’m not going to restate my thoughts on that here, but in the interest of getting the complete story out, I thought I’d give a link to Jon Oberheide, who created the apps they removed. He’s a security researcher and was evaluating the risk associated with malicious apps, and when Google disappeared the apps off his phone, he checked out the method they used.
Turns out that in addition to the REMOVE_ASSET command, there’s an INSTALL_ASSET as well, allowing Google to remotely install apps (or, more likely, replace or modify existing apps with security holes or whatnot). Head over to Jon’s site for his analysis.
They’re noting at Reddit, where I found the link, that these commands only apply to apps downloaded through the marketplace. That’s refreshing! So if you sideload stuff, Google has no access to it.