More than a decade ago, I owned a Galaxy Nexus on Verizon, a carrier exclusive to the United States. Verizon and Android fans who were attached to Google’s “pure” versions of Android were disgruntled roommates, with the phone bogged down in Verizon apps and constantly behind on OS updates. I can’t help but be reminded of that when I see a preloaded Verizon app deep in the bowels of a Google Pixel phone. That app, Showcase.apk, is finally going away.
The app is a system tool used by Verizon employees to do in-store demos, the kind of limited environment that showcases some of the phone’s capabilities and much of the carrier’s hyperbolic marketing. Unfortunately, it’s also a pretty glaring security hole because of its system-level access and the fact that regular users can’t uninstall it without some serious tweaking.
According to a report from iVerify and Palantir, the Showcase app includes an insecure backdoor thanks to its ability to install itself via unsecured HTTP. Theoretically, it’s possible for someone to cause serious damage to any Pixel phone with the preloaded app, which includes virtually every Pixel sold by Verizon (or Verizon versions sold by partners like Best Buy) since 2017.
The good news is that while this app leaves your phone surprisingly exposed to attacks, those attacks would rely on physical access first, and there’s no indication that it’s actually being used as a vector in the wild.
Google decided to walk away anyway, in a “better safe than sorry” approach. A Google spokesperson told Android Authority that a future Pixel software update would remove the app from “all supported Pixel devices in the market.” That means any Pixel phone that’s still getting updates — Pixel 4 and newer, including the new Pixel 9 phones when they go on sale in September.
