Favoring Snackbars Over Security
Another day, another report of Android security flaws.
In particular, this flaw makes for a fine demonstration of what I feel are Google’s messed-up priorities.
Here, we have an app that is not sanitizing its inputs. It has an activity
that accepts a URL via an
and (apparently) blindly hands the URL to a
WebView. Net result: an attacker can access any file within that
app’s internal storage,
which is supposed to be private to the app.
Again: this is an app. It’s not part of the framework. Google publishes this app on the Play Store.
This leads to some interesting questions:
Why is it that we have tons of documentation about how Google wants GUIs to appear and very little about how developers should secure their apps? Are we to interpret this as meaning that Google values snackbars over security?
Why can’t we have a Project Schneier, focused on helping developers to secure their apps? While I will agree that Project Butter (60fps
View-based UIs), Project Svelte (helping with Android One), and Project Volta (battery and power consumption) are important, one would hope that security would be right up there with them.
(note: no actual Schneiers were harmed in the creation of this blog post)
Even if Google has a Project Schneier in, say, Android O(MG), will they actually use it? After all, Project Butter was a few years ago, and
StrictModecame out in 2010, yet the framework team apparently does not use
StrictModeto test framework code. Will it be 2020 before Google would apply their own advice and tools to securing their own stuff?
When will I see blog posts, videos, conference presentations, and the like from the Android developer relations group related to security?
And so on.
I’m not expecting a lot of movement from Google in this area, as I have long ago given up worrying about what Google does. So I do what I can to help with Android app security, and I applaud the work that others do in that same area.
And then, I wait for the next in a series of shoes to fall.