Google Gears and Security


Google has announced their Google Gears tools for making online/offline web applications.  This is a great idea and I am looking forward to looking into it further.

I was kind of surprised to see that it has to run native code on the local machine.  This isn’t a terrible idea – it gives you a lot more capabilities and features.  I had been hoping for a fully browser-based JavaScript datastore with online synchronization capabilities.  Something that would run without any special plugins.  This would be more limited because the browser would have to be back on the network before being closed if you wanted to persist any of the changes that had been made when offline.  Instead they are using a local copy of SQLite along with some other native code/browser plugin stuff.

From a features standpoint that allows you to make much more interesting applications.  Maintaining local-disk state that lives across browser lifetimes is super-helpful.  From a security standpoint, however, this opens up a whole can of worms.  If this framework is going to require a user to run local code attackers are not just limited to breaking current browser security protections.  They can also attack the local code that Google Gears will rely on.  This is a huge difference so we will see how things turn out.

However I was encouraged to see that they have a fledgling security page that talks about design and coding issues that could affect Google Gears applications’ security.  They have a little bit of talk about their security model and a little bit of talk about things like SQL injection.  This is a good start but with such a new mentality for building web applications and so much new code in the frameworks I suspect that there will be more than a few security issues to work out – both in the framework and in the application built on top of it.

Fun stuff!

dan _at_

About Dan Cornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

Leave a reply