I recently had a chance to report a security issue to the Android Security Team and it was a pathetic experience. They didn’t know how permissions are presented in Play Store, couldn’t decide if it’s a feature or a bug and then changed their mind regarding issue severity for no apparent reason.
They must be bombarded with tons of irrelevant issues so I took my time to describe the problem in detail. My report provided the context, exact steps to reproduce with code samples and a proposed patch.
Soon after posting the report I received an automated confirmation and next day they responded. They were faster than I expected based on my previous experience.
They politely thanked and claimed that’s not an issue:
In order for an app to be able to draw overlay windows on top of other apps, it needs to declare the android.permission.SYSTEM_ALERT_WINDOW permission, which is classified as “dangerous”. Therefore, a user would have known that this app is able to draw on top of other apps.
I couldn’t believe what!
Is it possible that the person working on Android Security Team hasn’t noticed that over a year ago Google Play changed the way in which permissions are presented to the user? As a result “Draw over other apps” permission is no longer visible.
Even if this information was displayed to the user, do they expect an “ordinary user” to deduce that an app may be modifying contents of permission dialog?
They also added:
On one hand, we do worry about phishing, and we are always taking steps to prevent and detect this form of abuse. On the other hand, Android is built around the very idea of openness and flexibility, which makes it impossible to fully eliminate the risk.
I’m all for openness and flexibility and I agree that it’s impossible to fully eliminate the risk. Nevertheless the fact that you can’t fully eliminate the risk doesn’t mean you should give up fixing the obvious issues. Are you leaving your doors wide open just because no lock is 100% picking proof? This attack is quite easy to carry out and the fix is relatively simple so I see no reason not to implement it.
When I pointed out that “Draw over other apps” permission is no longer visible during installation and asked for confirmation that it’s not an issue they changed their mind. The issue got classified as Moderate severity vulnerability. They also added:
We ask that you keep this report confidential to give us time to develop a fix and notify our partners of the vulnerability. We’ll let you know if we have any questions/updates on this.
Note that my original report contained a patch (LINK TO POST) so “developing a fix” should be just a matter of reviewing and distributing this patch. If they found the patch incomplete they could contact me and I’d be happy to modify it (I wouldn’t mind a Patch Reward). Apparently no one even looked into this issue. After a month of silence I asked for an update end here is what I got:
This bug has been reclassified to a low severity. Our engineers are working on a solution to this. However, low severity bugs will not be backported to older versions of Android.
To wrap up, Google Security Team has been presented with all relevant information in my initial report. They first claimed it’s not a bug, then classified is as Moderate severity and a month later reclassified as Low. This doesn’t make any sense.
I understand that the Android Team must be overwhelmed by the number of Lollipop issues. Getting their priorities right and engaging developers community could surely help them get out of the woods.