About VZW Remote Diagnostics/AetherPal
I've been doing some research into Verizon's new remote diagnostic app, so I'll share my findings here. The app in question is Aetherpal.apk, which is located in /system/app/ in the FP1 update for the Droid Charge. When the phone boots up, this app establishes a connection with AetherPal's server to establish a secure session, and though it's hard to tell exactly how this happens by reading the smali code, it appears to use a combination of AES (symmetric encryption) and cipher block chaining (each section of the message is passed through a block cipher) for encryption.
After establishing a session, the app idles until it receives either a special SMS message or a packet over HTTPS, which can instruct it perform a variety of functions. I'm still investigating what these are, but some of the status codes are for starting streaming, pausing streaming, and initiating remote control. The application logs the actions taken in the course of the session, and there is some sort of a user interface that shows the user what the remote operator is currently doing with the phone in real-time. The log is sent back to Verizon's AetherPal service running on AetherPal's servers, where presumably Verizon representatives can access it.
Here is a nice diagram that AetherPal has made concerning their service: http://aetherpal.com/architecture.html
Well, that's it for now, but I'm going to continue investigating in more detail. In particular, I'm interested in how exactly the handshake happens during initialization, what information is logged (anything potentially sensitive?), and how much control remote operators have over the device. It would be good to confirm that some action is needed on the user's part to allow a remote operator to start controlling the device.