Hacker News new | past | comments | ask | show | jobs | submit login

Likely the app was not embedded in the sim. It was likely a carrier profile that the sim activated that triggered the download and install of the app.

Maybe, but you'd be surprised what kinds of SIM application toolkit based products there are in the world. These are actually running on the SIM, with your phone only proxying input/output!

For example in many African countries, you have M-Pesa [1], which was at least initially entirely based on SAT.

[1] https://en.wikipedia.org/wiki/M-Pesa

Essentially, the OS has a backdoor to allow commands from the SIM. I wonder what other uses are there for this method?

Is it still a backdoor if it is publicly documented?

Also, the API is somewhat limited. "Installing applications" here means "downloading code to the SIM card", which arguably has always been the phone provider's property.

It's definitely not possible to install apps on the application processor OS via SIM-OTA. That would be OS-based carrier profiles, which the OS vendor has deliberately implemented.

You may know there is one but you still don't know how to open/use it.

The more important question is, can the SIM itself be remotely updated.

If so, any entity with a court order, can install anything it wants on your phone.

Alternatively, any entity it wants can use the sim itself to track beyond the norm...

Not really updated, but new applications can be remotely installed and then interact with the baseband and (to a limited extent) the smartphone OS.

It‘s not "any entity", though – the provider’s keys are needed to do this, and they can already do much of that tracking using other, network-side means.

If the signing keys are compromised, though, bad things can happen: https://www.srlabs.de/bites/rooting-sim-cards

Couldn't installations be observed though?

They could (using a setup like the one in the article), but the payload is usually encrypted in addition to being authenticated, and such OTA updates are done for legitimate reasons all the time.

A distinction without difference from the end-user's perspective.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact