The article is VERY misleading and probably shouldn’t have been published by Wired in the first place. GrapheneOS clarified the entire situation in this Mastodon thread: https://grapheneos.social/@GrapheneOS/112967309987371034
According to the article, the culprit is showcase.apk, an in-store demo app. I couldn’t find it on my P5 running lineage so hopefully that means AOSP / custom roms not based on stock roms are not affected.
The app is also not enabled even on a stock ROM, so the attacker would need to have physical access to your phone, and your password to enable the app before this man-in-the-middle attack could even be performed.
So it’s a manual manned man in the middle attack?
Super misleading title. It’s not even enabled on most pixels. So nothing was “exposed”