Offline GMail: Is it secure?

Google Gears LogoGmail finally provided “offline” mode via Google Gears. So when Gears is enabled you can access your Gmail from your browser any time… even when you’re not online! Ok so that’s cool… but where does it store the data and is the data secure?

When a website attempts to interact with a gears datastore it uses uses the same origin policy as its underlying security model. In a nutshell, the policy permits scripts running on pages originating from the same site to access each other’s methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites. This means that a web page with a particular scheme, host, and port can only access resources with the same scheme, host, and port.

This means a site using Gears:

  • Database: Can only open databases created for that site’s origin.
  • LocalServer: Can only capture URLs and use manifests from the site’s origin.

The data is stored locally using a SQLite database. The downer is that your data within this database is NOT encrypted. Gears data files are protected with the user’s operating system login credentials. Users with separate login names cannot access each other’s Gears data files… but this is only enforced by the operating system.

If two users are sharing the same login to the operating system they could theoretically access each other’s Gears data files, just as they could access any other file on the machine.

UPDATE:

If you’d like to know where GMail’s datastores are located you can find them here:

Windows Vista

  • Internet Explorer: C:\Users\<user>\AppData\LocalLow\Google\Google Gears for Internet Explorer
  • Firefox: Database files are stored in the user profile directory. C:\Users\<user>\AppData\Local\Mozilla\Firefox\Profiles\{PROFILE}.default\Google Gears for Firefox
  • Google Chrome: Database files are stored in the user profile directory. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Plugin Data\Google Gears

Windows XP

  • Internet Explorer: C:\Documents and Settings\<user>\Local Settings\Application Data\Google\Google Gears for Internet Explorer
  • Firefox: Database files are stored in the user profile directory. C:\Documents and Settings\<user>\Local Settings\Application Data\Mozilla\Firefox\Profiles\{PROFILE}.default\Google Gears for Firefox
  • Google Chrome: Database files are stored in the user profile directory. C:\Documents and Settings\<user>\Local Settings\Application Data\Google\Chrome\User Data\Default\Plugin Data\Google Gears

Mac OS X

  • Firefox: Database files are stored in the user profile directory. Users/<user>/Library/Caches/Firefox/Profiles/{PROFILE}.default/Google Gears for Firefox
  • Safari: ~/Library/Application Support/Google/Google Gears for Safari

Linux Firefox: Database files are stored in the user home directory. <user>/.mozilla/firefox/{PROFILE}.default/Google Gears for Firefox

Microsoft Windows Mobile Internet Explorer: Database files are stored in the Application Data directory. \Application Data\Google\Google Gears for Internet Explorer

facebooktwittergoogle_plusredditpinterestlinkedin

Have a comment?

Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current ye@r *