As a security researcher, I have to disagree - there's many things to criticize Google for, but "cavalier attitude to security" isn't one of them.
Their security teams are industry-leading and they have done a lot of important work over the past decade (Project Zero, a very well-done bug bounty program, Advanced Protection, FIDO/hardware security keys, large-scale fuzzing and AFL, tons of behind the scenes sandboxing work, Linux kernel hardening...). They have a fine track record keeping their users safe (...from anyone but themselves and the US government).
> Given the embedded browser is not secure
It's a standard web view, which uses the same engine and is sandboxed the same way the standalone Chrome browser is. There's a few extra APIs injected into it, but chances are that they require authentication or simply check the origin. What makes you think they didn't take this into account when triaging the report?
There's hundreds of these web views with plenty of opportunities to "escape".
> Now, Google only fixes security bugs only after they've combined into a severe remote exploit
[citation needed]
Things like Chrome entirely rely on multiple layers of protection and, like any sensible vendor, they will absolutely fix a bug in, say, the renderer process even if there's no full-chain exploit.
> In some contexts (especially as high-stakes test settings, but also some military/prison/finance/medical/legal/etc. settings) this IS a direct security risk
In a kiosk or proctoring environment, you wouldn't be able to browse Google account settings in the first place. It's a non-issue.
> Their security teams are industry-leading and they have done a lot of important work over the past decade (Project Zero, a very well-done bug bounty program, Advanced Protection, FIDO/hardware security keys, large-scale fuzzing and AFL, tons of behind the scenes sandboxing work, Linux kernel hardening...).
I have to agree. Google has O(200k) employees, and included among those, are some of the best security people in the world. Indeed, many are left over from historic Google.
However, there's a huge difference between having high-calibre employees and having those employees impact the security of the huge numbers of products Google develops. Most of those employees do fine research, but have no influence on the typical Google product.
> They have a fine track record keeping their users safe ... [citation needed]
Let me tell you a story. I use Google Workspace Free. My account was compromised, not through much fault of anyone involved (long story, involving being targeted by a criminal actor who gained physical access to a device).
I wanted to collect records, go to the police, and have the criminal arrested. Google had clear logs of what happened. I found out that security was a value-added product. I'd need to switch from my version to a paid version, and could never switch back. The cost was going to be $6/user/month for the rest of my life, times a dozen family members, times 12 months, times another 60 years of life, which is around 50 thousand dollars.
$50 grand.
To get audit logs.
You can guess what I decided.
There was no way to prevent this retrospectively, but it'd be very easy to prevent prospectively. It just wasn't worth doing for $50k. The criminal is still out there. They might be targeting your home or business!
Thanks Google!
Another good story -- impacting a significant fraction of low-income individuals in the world -- is withholding security updates for Android after a few years to keep people on the upgrade treadmill. New devices have frequent updates. Older ones have slower updates, until at some point, the updates stop. Phones get compromised, and attackers do ransomware, identity theft, and other sorts of nasty things.
Thanks Google!
Security should not be a paid value-add. Everyone deserves security.
> I wanted to collect records, go to the police, and have the criminal arrested.
That's not really how it works. The police can subpoena Google for the records, they won't trust audit logs you provide. Just file a police report if this is a real issue.
That's not how real-world police departments work, at least where I live. The police are lazy. They receive many complaints, and ignore most of them. Coming to the police with allegations and no evidence simply doesn't go anywhere.
Audit logs I provide won't be enough for criminal prosecution. They would be enough evidence to cause my local police to investigate, as well as adequate cause for a warrant to Google.
I don't think police issue subpoenas. They may be able to acquire a warrant to force google to turn over data, but would they actually do it? They would certainly require some sort of preliminary evidence or probable cause.
Of course your attorney could file an action against google (or another party) and a court could subpoena google's records to resolve it, but that's starting to sound expensive...
Their security teams are industry-leading and they have done a lot of important work over the past decade (Project Zero, a very well-done bug bounty program, Advanced Protection, FIDO/hardware security keys, large-scale fuzzing and AFL, tons of behind the scenes sandboxing work, Linux kernel hardening...). They have a fine track record keeping their users safe (...from anyone but themselves and the US government).
> Given the embedded browser is not secure
It's a standard web view, which uses the same engine and is sandboxed the same way the standalone Chrome browser is. There's a few extra APIs injected into it, but chances are that they require authentication or simply check the origin. What makes you think they didn't take this into account when triaging the report?
There's hundreds of these web views with plenty of opportunities to "escape".
> Now, Google only fixes security bugs only after they've combined into a severe remote exploit
[citation needed]
Things like Chrome entirely rely on multiple layers of protection and, like any sensible vendor, they will absolutely fix a bug in, say, the renderer process even if there's no full-chain exploit.
> In some contexts (especially as high-stakes test settings, but also some military/prison/finance/medical/legal/etc. settings) this IS a direct security risk
In a kiosk or proctoring environment, you wouldn't be able to browse Google account settings in the first place. It's a non-issue.