Hole? Feature?
1 view
Skip to first unread message
Davanum Srinivas
Nov 25, 2007, 1:56:59 PM11/25/07
to Android Internals
FYI, http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any-application-can-access-your-google-credentials/
In one case the password is plain text, another case it seems to be
base64 encoded.
thanks,
-- dims
gaz
Nov 25, 2007, 6:55:35 PM11/25/07
to Android Internals
Guys, do you realise that this is pre-alpha material, yes?
This is, IMO, a very rushed release done more for marketing reasons
than from technical ones.
Besides the lack of documentation (*many* functions do not have any at
all), and the general breakage of many APIs, what struck me most is
the lack of a bug collector system.
How do you think you gather meaningful bugs information from the
developers/users, if you don't have a publicly visible tracking
system?
I'd have certainly created a public bugzilla before releasing it, and
I'd have also opened the source code soon, so that other developers
could have helped fixing bugs (and gaining valuable experience on the
platform as well).
On Nov 25, 10:56 am, Davanum Srinivas <dava...@gmail.com> wrote:
> FYI,http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any...
This is, IMO, a very rushed release done more for marketing reasons
than from technical ones.
Besides the lack of documentation (*many* functions do not have any at
all), and the general breakage of many APIs, what struck me most is
the lack of a bug collector system.
How do you think you gather meaningful bugs information from the
developers/users, if you don't have a publicly visible tracking
system?
I'd have certainly created a public bugzilla before releasing it, and
I'd have also opened the source code soon, so that other developers
could have helped fixing bugs (and gaining valuable experience on the
platform as well).
On Nov 25, 10:56 am, Davanum Srinivas <dava...@gmail.com> wrote:
> FYI,http://davanum.wordpress.com/2007/11/25/bugholefeature-of-android-any...
Dan Morrill
Nov 26, 2007, 12:23:08 AM11/26/07
to android-...@googlegroups.com
Hi, dims! Thanks for pointing this out.
Currently the only application using this information is (I believe) the XMPP service. The current SDK early-look does not include all the components that it eventually will, and one of the pieces missing from the current version is centralized handling of user credentials.
In other words, while this is definitely a security concern, it will be addressed in a future SDK release. The goal of the current SDK is to give developers early access to the application APIs; for developers concerned about this issue, we suggest creating test accounts.
I'll double-check and make sure that the folks in charge of this piece of the system are aware of this problem. Thanks again for pointing it out.
- Dan
Currently the only application using this information is (I believe) the XMPP service. The current SDK early-look does not include all the components that it eventually will, and one of the pieces missing from the current version is centralized handling of user credentials.
In other words, while this is definitely a security concern, it will be addressed in a future SDK release. The goal of the current SDK is to give developers early access to the application APIs; for developers concerned about this issue, we suggest creating test accounts.
I'll double-check and make sure that the folks in charge of this piece of the system are aware of this problem. Thanks again for pointing it out.
- Dan
Reply all
Reply to author
Forward
0 new messages