“This was very deleterious of trust, to have third-party, unvetted insecure software on it,” Dane Stuckey, Palantir’s chief information security officer, told The Washington Post. “We have no idea how it got there, so we made the decision to effectively ban Androids internally.”
“It’s really quite troubling. Pixels are meant to be clean,” Stuckey, of Palantir, told the Post. “There is a bunch of defense stuff built on Pixel phones.”
interesting, though i don't think that isolating sensitive stuff in a vm is a reasonable security strategy if we are talking about low-level compromise of the entire architecture, or did you want to rationalize the usage for "defense stuff"?
i'd argue that what you describe as "host" is rather a management vm which is allowed to talk directly to the hypervisor. though, through this privilege is most likely able to compromise it and all other guests.
but this doesn't really matter as the attack vector we are talking about already has dma and does not care about any of that.
It's kind of wild that Palantir would ban Android phones when this was software installed by Verizon. If Apple had installed disabled-but-insecure software on iOS, would it even be discoverable?
This vulnerability isn't with the underlying OS though. They just installed a disabled application that has security concerns, but someone has to manually enable it for it to be a problem.
