Is Adblock Plus using a security hole in Android?

Everything about using the stand-alone Adblock Plus app on Android

Is Adblock Plus using a security hole in Android?

Postby greiner » Thu Nov 29, 2012 5:43 pm

According to this Android bug report we are abusing a security hole in Android and that issue has already been assigned to someone with priority high. Should we prepare for the worst case or wait and see what comes out of this?

Hopefully, they simply introduce a new permission - or even better: a new proxy API!?
User avatar
greiner
ABP Developer
 
Posts: 815
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby Wladimir Palant » Thu Nov 29, 2012 10:52 pm

We'll have to see. The proxy selection API is definitely not a bug, it has been introduced intentionally. It is not exactly well-documented but it seems that this functionality is considered useful.
Wladimir Palant
ABP Developer
 
Posts: 8395
Joined: Fri Jun 09, 2006 6:59 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby greiner » Thu Nov 29, 2012 11:19 pm

Wladimir Palant wrote:We'll have to see. The proxy selection API is definitely not a bug, it has been introduced intentionally. It is not exactly well-documented but it seems that this functionality is considered useful.

The only problem seems to be that users are currently unaware that an app can do that when they download it. That's why I suggested having a specific permission for that which reflects that. (like Google introduced it for Chrome extensions that want access to chrome.webRequest)
User avatar
greiner
ABP Developer
 
Posts: 815
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby fhd » Fri Nov 30, 2012 7:12 am

greiner wrote:Hopefully, they simply introduce a new permission - or even better: a new proxy API!?


If they do get rid of it, I think we can make manual configuration much easier by:

  1. Opening the proxy settings activity for the user (should be possible)
  2. Using the most memorable port available, e.g. 11111, 22222 etc.
fhd
 
Posts: 119
Joined: Mon Sep 03, 2012 5:29 pm

Re: Is Adblock Plus using a security hole in Android?

Postby Wladimir Palant » Fri Nov 30, 2012 8:52 am

Frankly, it's good to see this discussed. The current proxy API is a huge mess with chunks of dysfunctional code from Android 3.0 and basically no proper documentation. Maybe this will get straightened out - one way or another.
Wladimir Palant
ABP Developer
 
Posts: 8395
Joined: Fri Jun 09, 2006 6:59 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby Andrey Novikov » Fri Nov 30, 2012 8:58 am

It's closed already, what does it mean?
Andrey Novikov
 
Posts: 52
Joined: Fri Feb 03, 2012 2:18 pm

Re: Is Adblock Plus using a security hole in Android?

Postby fhd » Fri Nov 30, 2012 9:06 am

Andrey Novikov wrote:It's closed already, what does it mean?


Apparently that it's been fixed:

FutureRelease: This bug has been fixed (or feature implemented) in a source tree, but has not yet been included in a formal Android platform release. (Note that this may also include fixes that exist in a private source tree that has not yet been contributed to a public tree.)



Weird that there was no public discussion whatsoever though...
fhd
 
Posts: 119
Joined: Mon Sep 03, 2012 5:29 pm

Re: Is Adblock Plus using a security hole in Android?

Postby greiner » Fri Nov 30, 2012 11:08 am

fhd wrote:Weird that there was no public discussion whatsoever though...

Maybe we should bring that discussion up somehow?

I wonder how they fixed it...
User avatar
greiner
ABP Developer
 
Posts: 815
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby fhd » Fri Nov 30, 2012 11:29 am

greiner wrote:Maybe we should bring that discussion up somehow?


You tried to, they probably discussed this internally. From what I've seen/heard so far, Android isn't a very open project, open source or not.

Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.

We may want to implement my suggestion to make manual proxy setup easier, just to be on the safe side.
fhd
 
Posts: 119
Joined: Mon Sep 03, 2012 5:29 pm

Re: Is Adblock Plus using a security hole in Android?

Postby Andrey Novikov » Fri Nov 30, 2012 11:31 am

I'm afraid they just have added a check if the calling process is system or not.
Andrey Novikov
 
Posts: 52
Joined: Fri Feb 03, 2012 2:18 pm

Re: Is Adblock Plus using a security hole in Android?

Postby greiner » Fri Nov 30, 2012 11:54 am

fhd wrote:We may want to implement my suggestion to make manual proxy setup easier, just to be on the safe side.

I guess we have no other choice in that case. It needs to be as straightforward as possible without any complicated explanations.

Andrey Novikov wrote:I'm afraid they just have added a check if the calling process is system or not.

Sounds like the usefulness of our app will deteriorate for all 3.1+ users... eliminating the highly praised works-out-of-the-box experience.

Do you have a link to the change?
User avatar
greiner
ABP Developer
 
Posts: 815
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby fhd » Fri Nov 30, 2012 12:02 pm

greiner wrote:
Andrey Novikov wrote:I'm afraid they just have added a check if the calling process is system or not.

Sounds like the usefulness of our app will deteriorate for all 3.1+ users... eliminating the highly praised works-out-of-the-box experience.

Do you have a link to the change?


I believe he meant "I fear...", not "I'm afraid..." - i.e. he just thinks they might have done it.

Even if they did that, FutureRelease seems to imply they're not backporting it to the current releases.
fhd
 
Posts: 119
Joined: Mon Sep 03, 2012 5:29 pm

Re: Is Adblock Plus using a security hole in Android?

Postby greiner » Fri Nov 30, 2012 12:15 pm

fhd wrote:I believe he meant "I fear...", not "I'm afraid..." - i.e. he just thinks they might have done it.

Even if they did that, FutureRelease seems to imply they're not backporting it to the current releases.

I guess we have to wait for the actual code then - or at least for a hint on the issue report on how they plan/accomplished to fix it.
User avatar
greiner
ABP Developer
 
Posts: 815
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby Wladimir Palant » Fri Nov 30, 2012 5:07 pm

fhd wrote:Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.

They probably have a separate queue for security-sensitive bugs. At least 7622253 looks like a rietveld issue number - probably referring to an internal instance.
Wladimir Palant
ABP Developer
 
Posts: 8395
Joined: Fri Jun 09, 2006 6:59 pm
Location: Cologne, Germany

Re: Is Adblock Plus using a security hole in Android?

Postby fhd » Fri Nov 30, 2012 5:11 pm

Wladimir Palant wrote:
fhd wrote:Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.

They probably have a separate queue for security-sensitive bugs. At least 7622253 looks like a rietveld issue number - probably referring to an internal instance.


Good point, Google's internal review system (called Mondrian) is apparently similar to Rietveld, written by Guido as well. Might just share the same issue number format. Then again, Gerrit is from Google as well AFAIK.
fhd
 
Posts: 119
Joined: Mon Sep 03, 2012 5:29 pm

Next

Return to Adblock Plus for Android support

Who is online

Users browsing this forum: No registered users and 9 guests