The only real issue that I see is users have a much better collective knowledge about what installing an application provides vs. what granting access to a USB device provides. It's missing a nice 1 sentence + bullet point explanation of what granting access is going to provide.
Conversation
I meant the other way around here: websites could trivially abuse any FX2 they have WebUSB access for to reprogram it into HID. it's simple enough for script kiddies (do people still even use that term)
3
5
so I would have perhaps liked to expose Glasgow via WebUSB but I cannot in good faith advertise that because of how trivial it is to abuse
2
5
I will say this is a general problem of trust. Most people already implicitly trust the version of adb or openocd without verifying the code, yet each of those programs could do similar things.
I will agree that it easy harder to verify the code that gets run via the web.
1
1
this problem isn't theoretical--I believe that there have been instances of "user-friendly" fastboot with a malicious implant caught in the wild already
2
1
(I don't remember the details but I think that was opportunism, and of course a security/privacy focused project like GrapheneOS would attract people who are more intentional..)
1
We've been getting very concerned about all the unofficial guides for installing GrapheneOS, particularly since a lot of them have been recommending that people use sketchy third party fastboot releases and Windows drivers (even though Windows Update provides the driver for you).
1
4
For some reason, Windows often automatically has a working driver, but some people need to go into Windows Update and manually install an optional update providing the fastboot driver. It doesn't help that Windows ends up considering it some arbitrary smartphone brand driver.
2
4
Microsoft should fix this, but they'd get sued by a niche industry of driver vendors who make their livings rebranding the same driver code for a standard USB protocol to each vendor and product ID and uploading the result to Windows Update repo... 😖
1
2
It's a form of Windows tax for hardware vendors that's paid indirectly to MS through these vendors who take a big cut. 😣
1
Ideally Google and Microsoft would fix it so that this is the latest version of the Android fastboot driver and actually gets called that instead of "Lemobile fastboot driver" or whatever it feels like arbitrarily deciding to call the driver it's providing. It does work though.
macOS and Linux don't need any special driver. Linux distributions need additional udev rules to permit local users to access it as non-root which is really annoying. The android-tools package in Arch provides those. Debian/Ubuntu have an ancient version but it works for Pixels.
3