Security for remote shell debugging

[GoogleCodeExporter]

Remote shell debugging for applications should only accessible on authorized 
Chromecast devices which are associated to the same Google account as the 
application itself at the Developer Console.

At the moment every registered developer can debug every other application on 
every Chromecast device which the developer has authorized at the Developer 
Console. For applications that needed user authentication, api-keys etc. this 
is not really safe, regardless of how these things are protected. We don't use 
any hardcoded keys in our code, but we have to submit all needed keys and 
credentials at the receiver initialization or after that. We can obfuscate our 
code to make it harder for another developer/attacker to get these keys via the 
remote shell debugger, but this not make it impossible.

The possibility to enable/disable remote debugging of an application by the 
developer would be nice or the possibility to bind debugging on selected 
Chromecast devices from the application owner.

Original issue reported on code.google.com by sebastia...@gmail.com on 8 Jul 2014 at 11:28

[GoogleCodeExporter]

According to our engineers, the currently implemented behavior restricts access 
to remote debugging to each developers own apps.  Please refer to the 
documentation.

https://developer.chrome.com/devtools/docs/debugger-protocol
https://developers.google.com/cast/docs/custom_receiver#debugging

Original comment by jonathan...@google.com on 7 Nov 2014 at 9:38

• Changed state: WontFix

[GoogleCodeExporter]

This seems to be added later to the firmware after I reported it. With firmware 
version 22062 debugging of "foreign" apps does not work any more indeed. With 
version 17250 this was possible.

Original comment by sebastia...@gmail.com on 10 Nov 2014 at 1:56