[workaround] for (outdated) Gallery and/or (vulnerable) Browser apps, based on (non-free!) binaries
Added by My Self about 9 years ago
This topic could help to survive the hard time waiting for final solutions, for some points on the Replicant Tasks list: http://redmine.replicant.us/projects/replicant/wiki/Tasks
But at a price of losing a piece of freedom, (by using freeware binaries, instead of open source software).
So none of this workaround steps are unrestricted recommended!
Because you definitely should disable the standard browser (on Replicant 4.2.X): http://redmine.replicant.us/boards/39/topics/8007
I've searched for possibilities to use a more secure web browser, for example.
IMHO, with the following workaround you can change a piece of freedom into some (probably more secure) features, if you don't mind my saying.
Installing non-free binary OpenGL ES BLOBs and using more open source apps
I don't want to tell you exactly how you "install" that binary files, because it's not recommended by the Replicant project. More informations about, could be found here: http://code.paulk.fr/article16/missing-proprietary-firmwares-in-android-systems
- After that, you could replace the standard browser with Fennec, because that's a secure and open source web browser which is in active development. ("Fennec FDroid" is a developer build based on the latest Firefox for Android release. It's focused on removing any proprietary binaries used in the official builds).
Preview: https://www.youtube.com/watch?v=8IEM17OaCqc
F-Droid Download: https://f-droid.org/repository/browse/?fdid=org.mozilla.fennec_fdroid
Recommended (privacy) settings:- disable: menu -> Settings -> Privacy -> Remember passwords [_]
- set: menu -> Settings -> Privacy -> Clear on exit -> (select the points you like)
[Recommended (privacy) Add-ons:] - HTTPS-Everywhere (encrypts your communications with many major websites)
download: https://www.eff.org/de/https-everywhere
source code: https://github.com/EFForg/https-everywhere - uBlock Origin (an efficient "fast and lean" blocker)
download: https://github.com/gorhill/uBlock/releases
source code: https://github.com/gorhill/uBlock - NSA - NoScript Anywhere (a whitelist driven safe JavaScript execution)
download: https://noscript.net/nsa/
source code: https://github.com/avian2/noscript
- You could left the Privacy Guard enabled for that app.
Info: it's possible to install the Add-ons offline over typing: file:// inside the URL bar and go to the place you stored the .xpi files (like in a file manager).
- The deprecated (slow and buggy) Gallery could be replaced by:
- Gallery2 (open source)
Preview: http://forum.xda-developers.com/showthread.php?t=1965952
Download: To get the pre-compiled version of the .apk file, you could download a custom ROM of your choice (for your device), extract the flashable .zip file and find the "Gallery2.apk" inside the /system/app/{probably more subfolders} path. - QuickPic (freeware), which should be a fast and easy to use picture viewer.
Preview: https://www.youtube.com/watch?v=H-hpZC-vD2A
APK Download: https://github.com/neithern/neithern.github.com/tree/master/assets
(I would recommend the version QuickPic_3.1.1.apk, because this has the least permission requirements).
Recommended (comfort) settings: - disable: menu -> Settings -> General -> Include videos [_]
- Gallery2 (open source)
- You could left the Privacy Guard enabled for those apps.
- Finally, providing this BLOBS automatically enables the Replicant integrated screenshot-functionality.
Again, I don't recommend non-free apps or binaries at all.
But if you can't life without some features and want to stay on Replicant, feel free to be inspired.
So I hope that helps anyway.
Replies (3)
RE: [non-free workarounds] for Gallery, Browser, ... apps based on binary "freeware" - Added by Paul Kocialkowski about 9 years ago
I fail to understand the logic of how replacing free software with proprietary counterparts is any better for privacy/security. Every single piece of proprietary software is a fatal flaw to privacy/security.
Of course, those instructions are not endorsed by Replicant, but you're speaking here on your own name, not on behalf of the project.
However, I would suggest that this is perhaps not the right place to discuss the use of proprietary components, as it is clearly not relevant to Replicant and the values behind it. That said, I won't prevent you from doing it, provided there is nothing misleading.
RE: [non-free workarounds] for Gallery, Browser, ... apps based on binary "freeware" - Added by My Self about 9 years ago
I fail to understand the logic of how replacing free software with proprietary counterparts is any better for privacy/security. Every single piece of proprietary software is a fatal flaw to privacy/security.
Full acknowledge to this point.
However, there are serious exploits for the vulnerable WebView in the wild, for example: https://github.com/rapid7/metasploit-framework/pull/3759/files
(With this you could provide an open Access Point for example, and inject the exploit on every connection. From now, you're able to take over every active sessions [also HTTPS sessions!] and cookies etc.)
So IMHO I had to choose the lesser of two evils, and using the critically dangerous standard browser is not an option for me anymore.
I've made this post with a heavy heart, but probably somebody other is in the same 'what should I do'-question situation...
Because of this, I'm not that sure about that warning message (out of topic: http://redmine.replicant.us/boards/39/topics/8007).
IMHO it's generally a good idea, but the browser is not the only vulnerable app in this context.
I've seen this: http://www.replicant.us/freedom-privacy-security-issues.php#recommendations
It looks like that the "browser shipped with Replicant" and "Lightning" are the only vulnerable browser targets. That's not correct. Because people could take the next browser found over f-droid (https://github.com/powerpoint45/Lucid-Browser), which is using WebView, too.
One of the main problems are, that there are a lot of apps, which using the vulnerable built-in WebView engine.
Only one more app example: "HN" [checked on version 1.9.10] (https://f-droid.org/repository/browse/?fdfilter=hacker+news&fdid=com.manuelmaly.hn)
UPDATE there is an issue for that on the HN-GitHub-repo: https://github.com/manmal/hn-android/issues/143
The thing is, that you often don't know if the app you want is using this engine in the background; so it's very hard to find that out as a standard user.
Google said to the app developers: "[...] consider providing your own renderer on Android 4.3 and earlier [...]".
Source: https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
So if you consider one of this temporarily (non-free!) workarounds from above, this doesn't solve the problem that other (mostly unknown) apps still using WebView.
IMHO, the best thing what could happen for now, would be a soon release of CM11 M13 (http://forum.cyanogenmod.org/topic/104078-cm11-m13/) and a new Replicant version based on that: http://redmine.replicant.us/boards/33/topics/7665?r=8109. But in the meanwhile I have to figure out a good workaround or better a solution for that bad situation...
Of course, those instructions are not endorsed by Replicant, but you're speaking here on your own name, not on behalf of the project.
However, I would suggest that this is perhaps not the right place to discuss the use of proprietary components, as it is clearly not relevant to Replicant and the values behind it. That said, I won't prevent you from doing it, provided there is nothing misleading.
Of course, and thanks for that clarification to other people.
RE: [workaround] for (outdated) Gallery and/or (vulnerable) Browser apps, based on (non-free!) binaries - Added by Paul Kocialkowski about 9 years ago
It looks like that the "browser shipped with Replicant" and "Lightning" are the only vulnerable browser targets.
Come-on, it clearly says "Browsers using the webview framework". That is accurate.
The thing is, that you often don't know if the app you want is using this engine in the background; so it's very hard to find that out as a standard user.
I understand this is a problem, but I have no easy solution. I don't have time to bring Replicant to a new version, and such a security issue is not a sufficient motivation.