More than a decade ago, I had a Galaxy Nexus on Verizon, a U.S.-exclusive carrier. Verizon and Android fans devoted to Google’s “pure” versions of Android were unhappy roommates, as the phone was overloaded with Verizon apps and operating system updates were perpetually late. I’m always reminded of this when I see a pre-installed Verizon app deep in the bowels of a Google Pixel phone. That app, Showcase.apk, is finally going away.
The app is a system tool used by Verizon retail employees to give demos in stores, a sort of restricted environment used to show off some of the phone’s capabilities and a lot of the carrier’s over-the-top marketing. Unfortunately, it’s also a pretty glaring security flaw, as it’s accessible at the system level and regular users can’t uninstall it without serious tampering.
According to a report by iVerify and Palantir, the Showcase app contains an unsecured backdoor because it can be installed over unsecured HTTP. Theoretically, it’s possible for someone to cause serious harm to any Pixel phone with the app pre-installed, which includes virtually all Pixels sold by Verizon since 2017 (or sold as a Verizon version by partners like Best Buy).
The good news is that while this app makes your phone frighteningly vulnerable to attacks, those attacks would primarily rely on physical access and there is no evidence of the app actually being used as a vector in the wild.
Google has decided that the app needs to go anyway, following the motto “better safe than sorry.” A Google spokesperson told Android Authority that a future Pixel software update will remove the app from “all supported Pixel devices on the market.” That is, any Pixel phone that still receives updates – Pixel 4 and newer, including the new Pixel 9 phones when they go on sale in September.