Project

General

Profile

[workaround] for (outdated) Gallery and/or (vulnerable) Browser apps, based on (non-free!) binaries

Added by My Self about 5 years ago

This topic could help to survive the hard time waiting for final solutions, for some points on the Replicant Tasks list: http://redmine.replicant.us/projects/replicant/wiki/Tasks
But at a price of losing a piece of freedom, (by using freeware binaries, instead of open source software).
So none of this workaround steps are unrestricted recommended!

Because you definitely should disable the standard browser (on Replicant 4.2.X): http://redmine.replicant.us/boards/39/topics/8007
I've searched for possibilities to use a more secure web browser, for example.

IMHO, with the following workaround you can change a piece of freedom into some (probably more secure) features, if you don't mind my saying.

Installing non-free binary OpenGL ES BLOBs and using more open source apps
I don't want to tell you exactly how you "install" that binary files, because it's not recommended by the Replicant project. More informations about, could be found here: http://code.paulk.fr/article16/missing-proprietary-firmwares-in-android-systems

  • The deprecated (slow and buggy) Gallery could be replaced by:
  • You could left the Privacy Guard enabled for those apps.
  • Finally, providing this BLOBS automatically enables the Replicant integrated screenshot-functionality.

Again, I don't recommend non-free apps or binaries at all.
But if you can't life without some features and want to stay on Replicant, feel free to be inspired.

So I hope that helps anyway.


Replies (3)

RE: [non-free workarounds] for Gallery, Browser, ... apps based on binary "freeware" - Added by Paul Kocialkowski about 5 years ago

I fail to understand the logic of how replacing free software with proprietary counterparts is any better for privacy/security. Every single piece of proprietary software is a fatal flaw to privacy/security.

Of course, those instructions are not endorsed by Replicant, but you're speaking here on your own name, not on behalf of the project.
However, I would suggest that this is perhaps not the right place to discuss the use of proprietary components, as it is clearly not relevant to Replicant and the values behind it. That said, I won't prevent you from doing it, provided there is nothing misleading.

RE: [non-free workarounds] for Gallery, Browser, ... apps based on binary "freeware" - Added by My Self about 5 years ago

I fail to understand the logic of how replacing free software with proprietary counterparts is any better for privacy/security. Every single piece of proprietary software is a fatal flaw to privacy/security.

Full acknowledge to this point.

However, there are serious exploits for the vulnerable WebView in the wild, for example: https://github.com/rapid7/metasploit-framework/pull/3759/files
(With this you could provide an open Access Point for example, and inject the exploit on every connection. From now, you're able to take over every active sessions [also HTTPS sessions!] and cookies etc.)

So IMHO I had to choose the lesser of two evils, and using the critically dangerous standard browser is not an option for me anymore.
I've made this post with a heavy heart, but probably somebody other is in the same 'what should I do'-question situation...

Because of this, I'm not that sure about that warning message (out of topic: http://redmine.replicant.us/boards/39/topics/8007).
IMHO it's generally a good idea, but the browser is not the only vulnerable app in this context.
I've seen this: http://www.replicant.us/freedom-privacy-security-issues.php#recommendations
It looks like that the "browser shipped with Replicant" and "Lightning" are the only vulnerable browser targets. That's not correct. Because people could take the next browser found over f-droid (https://github.com/powerpoint45/Lucid-Browser), which is using WebView, too.

One of the main problems are, that there are a lot of apps, which using the vulnerable built-in WebView engine.
Only one more app example: "HN" [checked on version 1.9.10] (https://f-droid.org/repository/browse/?fdfilter=hacker+news&fdid=com.manuelmaly.hn)
UPDATE there is an issue for that on the HN-GitHub-repo: https://github.com/manmal/hn-android/issues/143
The thing is, that you often don't know if the app you want is using this engine in the background; so it's very hard to find that out as a standard user.

Google said to the app developers: "[...] consider providing your own renderer on Android 4.3 and earlier [...]".
Source: https://plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF
So if you consider one of this temporarily (non-free!) workarounds from above, this doesn't solve the problem that other (mostly unknown) apps still using WebView.

IMHO, the best thing what could happen for now, would be a soon release of CM11 M13 (http://forum.cyanogenmod.org/topic/104078-cm11-m13/) and a new Replicant version based on that: http://redmine.replicant.us/boards/33/topics/7665?r=8109. But in the meanwhile I have to figure out a good workaround or better a solution for that bad situation...

Of course, those instructions are not endorsed by Replicant, but you're speaking here on your own name, not on behalf of the project.
However, I would suggest that this is perhaps not the right place to discuss the use of proprietary components, as it is clearly not relevant to Replicant and the values behind it. That said, I won't prevent you from doing it, provided there is nothing misleading.

Of course, and thanks for that clarification to other people.

RE: [workaround] for (outdated) Gallery and/or (vulnerable) Browser apps, based on (non-free!) binaries - Added by Paul Kocialkowski about 5 years ago

It looks like that the "browser shipped with Replicant" and "Lightning" are the only vulnerable browser targets.

Come-on, it clearly says "Browsers using the webview framework". That is accurate.

The thing is, that you often don't know if the app you want is using this engine in the background; so it's very hard to find that out as a standard user.

I understand this is a problem, but I have no easy solution. I don't have time to bring Replicant to a new version, and such a security issue is not a sufficient motivation.

    (1-3/3)