Is Adblock Plus using a security hole in Android?
Is Adblock Plus using a security hole in Android?
According to this Android bug report we are abusing a security hole in Android and that issue has already been assigned to someone with priority high. Should we prepare for the worst case or wait and see what comes out of this?
Hopefully, they simply introduce a new permission - or even better: a new proxy API!?
Hopefully, they simply introduce a new permission - or even better: a new proxy API!?
Re: Is Adblock Plus using a security hole in Android?
We'll have to see. The proxy selection API is definitely not a bug, it has been introduced intentionally. It is not exactly well-documented but it seems that this functionality is considered useful.
Re: Is Adblock Plus using a security hole in Android?
The only problem seems to be that users are currently unaware that an app can do that when they download it. That's why I suggested having a specific permission for that which reflects that. (like Google introduced it for Chrome extensions that want access to chrome.webRequest)Wladimir Palant wrote:We'll have to see. The proxy selection API is definitely not a bug, it has been introduced intentionally. It is not exactly well-documented but it seems that this functionality is considered useful.
Re: Is Adblock Plus using a security hole in Android?
If they do get rid of it, I think we can make manual configuration much easier by:greiner wrote:Hopefully, they simply introduce a new permission - or even better: a new proxy API!?
- Opening the proxy settings activity for the user (should be possible)
- Using the most memorable port available, e.g. 11111, 22222 etc.
Re: Is Adblock Plus using a security hole in Android?
Frankly, it's good to see this discussed. The current proxy API is a huge mess with chunks of dysfunctional code from Android 3.0 and basically no proper documentation. Maybe this will get straightened out - one way or another.
-
- Posts: 52
- Joined: Fri Feb 03, 2012 1:18 pm
Re: Is Adblock Plus using a security hole in Android?
It's closed already, what does it mean?
Re: Is Adblock Plus using a security hole in Android?
Apparently that it's been fixed:Andrey Novikov wrote:It's closed already, what does it mean?
FutureRelease: This bug has been fixed (or feature implemented) in a source tree, but has not yet been included in a formal Android platform release. (Note that this may also include fixes that exist in a private source tree that has not yet been contributed to a public tree.)
Weird that there was no public discussion whatsoever though...
Re: Is Adblock Plus using a security hole in Android?
Maybe we should bring that discussion up somehow?fhd wrote:Weird that there was no public discussion whatsoever though...
I wonder how they fixed it...
Re: Is Adblock Plus using a security hole in Android?
You tried to, they probably discussed this internally. From what I've seen/heard so far, Android isn't a very open project, open source or not.greiner wrote:Maybe we should bring that discussion up somehow?
Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.
We may want to implement my suggestion to make manual proxy setup easier, just to be on the safe side.
-
- Posts: 52
- Joined: Fri Feb 03, 2012 1:18 pm
Re: Is Adblock Plus using a security hole in Android?
I'm afraid they just have added a check if the calling process is system or not.
Re: Is Adblock Plus using a security hole in Android?
I guess we have no other choice in that case. It needs to be as straightforward as possible without any complicated explanations.fhd wrote:We may want to implement my suggestion to make manual proxy setup easier, just to be on the safe side.
Sounds like the usefulness of our app will deteriorate for all 3.1+ users... eliminating the highly praised works-out-of-the-box experience.Andrey Novikov wrote:I'm afraid they just have added a check if the calling process is system or not.
Do you have a link to the change?
Re: Is Adblock Plus using a security hole in Android?
I believe he meant "I fear...", not "I'm afraid..." - i.e. he just thinks they might have done it.greiner wrote:Sounds like the usefulness of our app will deteriorate for all 3.1+ users... eliminating the highly praised works-out-of-the-box experience.Andrey Novikov wrote:I'm afraid they just have added a check if the calling process is system or not.
Do you have a link to the change?
Even if they did that, FutureRelease seems to imply they're not backporting it to the current releases.
Re: Is Adblock Plus using a security hole in Android?
I guess we have to wait for the actual code then - or at least for a hint on the issue report on how they plan/accomplished to fix it.fhd wrote:I believe he meant "I fear...", not "I'm afraid..." - i.e. he just thinks they might have done it.
Even if they did that, FutureRelease seems to imply they're not backporting it to the current releases.
Re: Is Adblock Plus using a security hole in Android?
They probably have a separate queue for security-sensitive bugs. At least 7622253 looks like a rietveld issue number - probably referring to an internal instance.fhd wrote:Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.
Re: Is Adblock Plus using a security hole in Android?
Good point, Google's internal review system (called Mondrian) is apparently similar to Rietveld, written by Guido as well. Might just share the same issue number format. Then again, Gerrit is from Google as well AFAIK.Wladimir Palant wrote:They probably have a separate queue for security-sensitive bugs. At least 7622253 looks like a rietveld issue number - probably referring to an internal instance.fhd wrote:Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.