Is Adblock Plus using a security hole in Android?

[greiner]

According to this Android bug report we are abusing a security hole in Android and that issue has already been assigned to someone with priority high. Should we prepare for the worst case or wait and see what comes out of this?

Hopefully, they simply introduce a new permission - or even better: a new proxy API!?

[Wladimir Palant]

We'll have to see. The proxy selection API is definitely not a bug, it has been introduced intentionally. It is not exactly well-documented but it seems that this functionality is considered useful.

[greiner]

We'll have to see. The proxy selection API is definitely not a bug, it has been introduced intentionally. It is not exactly well-documented but it seems that this functionality is considered useful.

The only problem seems to be that users are currently unaware that an app can do that when they download it. That's why I suggested having a specific permission for that which reflects that. (like Google introduced it for Chrome extensions that want access to chrome.webRequest)

[fhd]

Hopefully, they simply introduce a new permission - or even better: a new proxy API!?

If they do get rid of it, I think we can make manual configuration much easier by:

1. Opening the proxy settings activity for the user (should be possible)
2. Using the most memorable port available, e.g. 11111, 22222 etc.

[Wladimir Palant]

Frankly, it's good to see this discussed. The current proxy API is a huge mess with chunks of dysfunctional code from Android 3.0 and basically no proper documentation. Maybe this will get straightened out - one way or another.

[Andrey Novikov]

It's closed already, what does it mean?

[fhd]

It's closed already, what does it mean?

Apparently that it's been fixed:

FutureRelease: This bug has been fixed (or feature implemented) in a source tree, but has not yet been included in a formal Android platform release. (Note that this may also include fixes that exist in a private source tree that has not yet been contributed to a public tree.)

Weird that there was no public discussion whatsoever though...

[greiner]

Weird that there was no public discussion whatsoever though...

Maybe we should bring that discussion up somehow?

I wonder how they fixed it...

[fhd]

Maybe we should bring that discussion up somehow?

You tried to, they probably discussed this internally. From what I've seen/heard so far, Android isn't a very open project, open source or not.

Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.

We may want to implement my suggestion to make manual proxy setup easier, just to be on the safe side.

[Andrey Novikov]

I'm afraid they just have added a check if the calling process is system or not.

[greiner]

We may want to implement my suggestion to make manual proxy setup easier, just to be on the safe side.

I guess we have no other choice in that case. It needs to be as straightforward as possible without any complicated explanations.

I'm afraid they just have added a check if the calling process is system or not.

Sounds like the usefulness of our app will deteriorate for all 3.1+ users... eliminating the highly praised works-out-of-the-box experience.

Do you have a link to the change?

[fhd]

I'm afraid they just have added a check if the calling process is system or not.

Sounds like the usefulness of our app will deteriorate for all 3.1+ users... eliminating the highly praised works-out-of-the-box experience.

Do you have a link to the change?

I believe he meant "I fear...", not "I'm afraid..." - i.e. he just thinks they might have done it.

Even if they did that, FutureRelease seems to imply they're not backporting it to the current releases.

[greiner]

I believe he meant "I fear...", not "I'm afraid..." - i.e. he just thinks they might have done it.

Even if they did that, FutureRelease seems to imply they're not backporting it to the current releases.

I guess we have to wait for the actual code then - or at least for a hint on the issue report on how they plan/accomplished to fix it.

[Wladimir Palant]

Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.

They probably have a separate queue for security-sensitive bugs. At least 7622253 looks like a rietveld issue number - probably referring to an internal instance.

[fhd]

Android has many repositories, and since the email addresses are anonymised, it's not easy to find the actual change. I had a look at the code review queue, doesn't seem like there was anything with "proxy" in the subject in the last few days.

They probably have a separate queue for security-sensitive bugs. At least 7622253 looks like a rietveld issue number - probably referring to an internal instance.

Good point, Google's internal review system (called Mondrian) is apparently similar to Rietveld, written by Guido as well. Might just share the same issue number format. Then again, Gerrit is from Google as well AFAIK.