Google Gears by neophyteblogger


More Info
									Google Gears and Security Concerns Google Gears is browser extension that helps you access your web applications offline, Google Gears consits of 3 parts, Local server, Database and worker thread. 1) Local server keeps your HTML, Javascripts, images and css files in the local cache so that it does not need to go online to retrive them. 2) Database - It contains a SQLite database to store your data, which contains the name of document, text, revision number, timestamps into it. 3) Worker thread does the background processing of the data you enter into your offline application, sync data with server, etc. Google Gears supports multiple browsers like IE and Firefox and recently Gears has added support for Windows Mobile platform, so even your mobile can have access to offline applications. Google Gears store data on the local machine but the datastore varies from operating systems and browsers. Hereś a list of where the data is stored on different platforms. Windows Vista - Internet Explorer Location: {FOLDERID_LocalAppDataLow}\Google\Google Gears for Internet Explorer Example: C:\Users\Bob\AppData\LocalLow\Google\Google Gears for Internet Explorer Windows Vista - Firefox - Files are stored in the user local profile directory. Location: C:\Users\<username>\AppData\Local\Mozilla\Firefox\Profiles\{profile}.default\Google Gears for Firefox Example: C:\Users\Bob\AppData\Local\Mozilla\Firefox\Profiles\uelib44s.default\Google Gears for Firefox Windows XP - Internet Explorer - Files are stored in the user local profile directory. Location: C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Google Gears for Internet Explorer Example: C:\Documents and Settings\Bob\Local Settings\Application Data\Google\Google Gears for Internet Explorer Windows XP - Firefox - Files are stored in the user local profile directory. Location: C:\Documents and Settings\<username>\Local Settings\Application Data\Mozilla\Firefox\Profiles\{profile}\Google Gears for Firefox Example: C:\Documents and Settings\Bob\Local Settings\Application Data\Mozilla\Firefox\Profiles\uelib44s.default\Google Gears for Firefox Mac OS/X - Firefox - Files are stored in the user local profile directory. Location: Users/<username>/Library/Caches/Firefox/Profiles/{profile}.default/Google Gears for Firefox Example: Users/Bob/Library/Caches/Firefox/Profiles/08ywpi3q.default/Google Gears for Firefox Linux - Firefox - Files are stored in the user home directory. Location: ~bob/.mozilla/firefox/<firefox's profile id>/Google Gears for Firefox Example: ~bob/.mozilla/firefox/08ywpi3q.default/Google Gears for Firefox

Google Gears Datafiles In the location where Gears stores its data, you can find some different files like localserver.db,

permissions.db and there are folders with the name of websites that you have used for offline applications. 1) localserver.db This is a Sqlite database that tracks all the files stored by all the domains, in our case and

2) permissions.db All sites that can use Gears are stored here and access control is implemented from here.

Every site has its own folder to store data into and files, something like this.

Localserver For eq.[8]#localserver The Sqlite database that stores all the reference data, text, revision number, etc is stored in this database. Sqlite For eq.

Accessing the Gears Database You can use any Sqlite Administrator tool do it but I am using Sqlite Manager for Firefox which is an excellent addon and has lots of features and above all its free, just make sure that when you are locating the database files on your Firefox profile, you need to look at ¨All Files¨ instead of ¨.sqlite¨ files which is default file extension Sqlite Manager searches. With Sqlite Manager you can view the tables, query the data and thereś lot more, you can see how the data is stored in the database. Security of your data in Gears Gears is very much open, it is completely dependent on your operating system security rather than its own authentication scheme, It authenticates using a website url, data is stored locally without encryption. Lets look at some security concerns relating to your Gears database. 1) DNS spoofing or /etc/hosts file Once the machine accesses a website that has the same name that is already present in the Gears database, and the user clicks go online, it will start to sync with the online server, just a little piece of code can be used to capture all the data, the userś personal and official documents can be compromised. 2) SQL Injection Even google has pointed out in their documentation that SQL Injection attacks are very much possible and developers should use APIś to access the data, rather than directly querying the database. 3) Cross site scripting There is not much detail about it at this time but even XSS attacks are very much possible and Google is even trying to implement access for other website on the same database, so of course the threat is increasing. XSS attacks are more than just stealing cookies. 4) Security of Data files Gears relies heavily on operating system security and that means if an attacker gets hold of your .db files he has all the data he needs about you, your files are compromied, It is not important that the attacker gains root access to your operating system but even if there is a bug in the browser an attacker can sucessfully grab your .db files. If a malacious attacker expoits the trust between the databases and contaminates the database files, he can erase all your data and if your web application does not keep revision files online you are surely in a mess but still even if you have a revision copy and the attacker contaminates more than 100 files, you will surely need to spend a lot of time reverting back to earlier versions. 5) Memory usage Gears surely makes your browser heavy the moment it starts to sync data and as the adoption of gears increases a malicious attacker can create a DOS on your system, bringing down the whole system is far but an attacker can surely freeze your browser and keep you away from working or maybe fill up your hard drive space with useless junk data in the database files by creating a simple loop and pass it on to the worker thread so that it generates the data and no need to download the junk data from the internet. 6) Encryption Gears stores all the data in plain text and does not encrypt anything in the database or local server, so all your data can be compromised if a user grabs a copy of your .db files. 7) Good news for Forensics Investigators The adoption of Gears or infact the online/offline applications is good because forensics investigators don't have to mess with password protected office files, no need to deal with encryption, forensics

investigators will even have revision copies of the documents because its all there in the database file and everything is logged with timestamps, so you can even track and reconstruct a case of when the file was copied, edited, etc. 8) Gears Applications At this point of time major Gears applications are Google Reader and Zoho Writer, but soon Google calendar, Gmail, Google Docs are rumored to be available so there will lot of more un-encrypted data on the hard drive to help crime fighters and forensics investigators. 9) New Attack avenues Google Gears uses UFBP (Universal Firewall Bypass Protocol) called HTTP and there are lots of new attacks coming up everyday and because of Google Apps the usage is going to grow and HTTP is always allowed in companies and monitoring it is also a bigger challenge. 10) Malware Once an attacker has access to the database, he can use javascript malware to load everytime, do virus infections and deliver malware. We recently saw how client-side javascript can be used to scan networks and in the near future gears can be used to deliver malware. 11) Worker Process Abuse Worker process is supposed to sync data and do normal processing but what if an attacker finds a way to abuse it to scan machine in your intranet or create a DOS condition ? 12) Password Protection You cannot password protect your files when they are offline like in Microsoft Office. 13) Implications on the server I have not figured out much on this topic but Gears can also be used to put more stress on the server, of course a single gears installation cannot do much to the cloud servers but a massive attack consisting of hundreds of users sending junk data to the server can have nasty outcome. Final note :: Google Gears is still in beta and there are lot more improvements to do not just functionality but security as Google is promoting its Apps to Business users, some of features like encryption, Granular access control, Password Protection. Do send me your feedback at anish @ TechFactor

To top