Android News

Android widget support poses security risk

March 16, 2009 | by Andrew Kameka

Android OS, Google Android

Android widget support poses security risk

While recording video profiles for Android home screen replacements, I made a comment that “It’s good to finally see some widgets on Android, something I thought should have been there from day one.”

Well, widgets may have been slow to emerge because of an apparent security risk, according to comments a Google Android engineer made to the developers of Open Home.

Better Android has posted a letter it received from a Google engineer that warns of potential security flaws that can be exploited by widgets in Open Home. According to the letter, part of which has been added at the end of this post, Android’s home screen runs with permissions that include access to contacts and the ability find shortcuts to apps. This opens two potential security holes:

  1. A developer with malicious intentions could create a widget that grabs user’s contacts and sends the information to a third party.
  2. A widget could reroute shortcuts to a fake program that steals username and password info.

The Google Android developer states that widget support was not included in Android 1.0 specifically for this reason, keeping the feature closed until a proper way to protect user data could be found. He cautions Better Android to disable widget support in Open Home until the company can ensure that widget support will not compromise user security.

Better Android says that Open Home is built on the Cupcake development branch, which recently got secure widget support, and can be converted to a secure design/code environment. It plans to eventually bring more widget support to Open Home.

It’s important to note that there is NOT any known case of user data being exploited by Open Home or any other Home alternative app. It appears this was just a precautionary measure taken to avoid such a scenario. Be mindful of which 3rd party widgets you install on Open Home, aHome, and dxTop until more information is known.

— Excerpt of letter sent to Better Android —-

My name is _____, I am an engineer on the Android Team and I worked on the default Home screen. I recently came across your Home replacement called Open Home. First of all, let me congratulate you for it, it has some very nice ideas and it’s good to finally see a viable 3rd party replacement for our Home screen. However, I would like to warn you about two very serious security holes in your application, both related to the way you implemented widgets.
(some texts removed….) * by Better Android

Home runs with quite a few permissions, most notably the ability to read contacts. With your implementation of widgets, any application can offer a new widget that, once installed by the user, will silently use Home’s permissions to achieve whatever it needs. For instance, a widget could be easily modified to read all the contacts and upload them silently to a website. At no point the user will know that the widgets will make use of the “read contacts” permission.

The second security hole is the ability you give the widgets to spoof any other app. A widget could for instance find shortcuts on the Home screen and change their Intent or attach a different click listener to execute something entirely different. This way, a widget could for instance execute a fake Email app and grab the user’s password and emails. A widget could do much more too since they have access to all the information stored in the Home screen UI. These two very important issues are the reason why widgets were not implemented in Android 1.0. We need to implement them correctly to guarantee the privacy and safety or the user’s data.

As your application currently stand, I would strongly advise you to disable the widgets support until you come up with a secure implementation of widgets. You have customers who paid for your applications and it would be really bad both for them, you and Android if a malicious widgets started taking advantage of these security holes
(rest of the email text removed….) * by Better Android