[guardian-dev] Android WebView SOP vulnerability (CVE-2014-6041)
Hans-Christoph Steiner
hans at guardianproject.info
Tue Sep 23 12:13:58 EDT 2014
Nathan of Guardian wrote:
>
>
> On Fri, Sep 19, 2014, at 12:16 PM, Hans-Christoph Steiner wrote:
>> Yet another stark reminder that the web only really works with public
>> information. Running applications on the web is really just a terrible
>> idea
>> from a security and privacy point of view.
>
> Well, that cuts off about 99% of the usefulness of it!
>
> Though now that Chrome can run Android apps, maybe we are moving back
> into native/compiled/purpose-built binaries!
Native apps can do networked stuff just fine, there is no need to use such a
horribly insecure platform. Look at all the networked mobile apps, e.g.
Facebook, etc.
The companies that are pushing everyone to webapps are generally based on data
mining business models (Google, Facebook, Yahoo, etc), so webapps are not
designed with the user's security in mind. Here's more fun news on the topic:
jquery.com got pwned and was serving malware:
http://www.net-security.org/malware_news.php?id=2869
Webs apps are structured around letting any random website execute code on
your machine, and they can even include random code from any other website and
transparently execute that on your machine.
It is not surprising that Finspy, NSA, etc. all focus on using websites to pwn
computers.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list