Google Gears and Security


Google has announced their Google Gears tools for making online/offline web applications.  This is a great idea and I am looking forward to looking into it further.

I was kind of surprised to see that it has to run native code on the local machine.  This isn’t a terrible idea – it gives you a lot more capabilities and features.  I had been hoping for a fully browser-based JavaScript datastore with online synchronization capabilities.  Something that would run without any special plugins.  This would be more limited because the browser would have to be back on the network before being closed if you wanted to persist any of the changes that had been made when offline.  Instead they are using a local copy of SQLite along with some other native code/browser plugin stuff.

From a features standpoint that allows you to make much more interesting applications.  Maintaining local-disk state that lives across browser lifetimes is super-helpful.  From a security standpoint, however, this opens up a whole can of worms.  If this framework is going to require a user to run local code attackers are not just limited to breaking current browser security protections.  They can also attack the local code that Google Gears will rely on.  This is a huge difference so we will see how things turn out.

However I was encouraged to see that they have a fledgling security page that talks about design and coding issues that could affect Google Gears applications’ security.  They have a little bit of talk about their security model and a little bit of talk about things like SQL injection.  This is a good start but with such a new mentality for building web applications and so much new code in the frameworks I suspect that there will be more than a few security issues to work out – both in the framework and in the application built on top of it.

Fun stuff!

dan _at_

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Leave a reply