Wishlist: CVE-2020-0022 warning on before collecting Bluetooth permission

[anivar]

CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0) and can allow remote code execution over Bluetooth with no additional execution privileges needed without any user interaction. More here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0022

Considering a major number of these devices in India may not have received Feb 2020 security update, it is better to give a warning pointing the risks before switching on Bluetooth 24/7.

[siddhpant]

This will lead to unnecessary hysteria, and hence interfere with the core functionality of the app IMO.

[FarmaanElahi]

This is a not needed. There can be many such vulnerability in OS. It is doesn't make sense to notify everything to the user. Also it is would be very difficult to explain these terminology to a layman

[damooo]

@anivar here is list of thousands of known cves in android as platform.

Should we list one by one on start screen to every ordinary user, and ask confirmation too?

foss activism doen't mean jingoism, and hysteria. It should consider practicality, value developers, should not encumber ordinary people.

[makapao]

@anivar Agreed, given how the app expects a user to have Bluetooth turned on all day long, a user should definitely be informed about the security risks of doing so on a vulnerable device.

[siddhpant]

Agreed with @damoo.

[anivar]

Should we list one by one on start screen to every ordinary user, and ask confirmation too?

The issue is specific to CVE-2020-0022 , which have very high rationale in this context, considering current market and device penetration combining with absence of updates. And the warning is relevant because bluetooth access is 24/7.

Digital Economy is a key driver in many of GoI policies including data protection. A govt app requesting permission for making users at risk, since many of these phones used for payment apps as well. The permission collection ideally needs a warning notice about the potential risk on specified versions alone Mentioning this in the best interest of users.