Android apps can anytime do remote code execution. GrapheneOS even offers controls to restrict Dynamic Code Loading per app. But Google somehow cares only about RCE in browser extensions?
Note: I am the author of this article.
Apples and oranges. Android is supposed to isolate apps from each other (yes, theory). So a malicious app should only be able to steal data the user provides it with.
On the other hand, a single malicious extension will compromise the entire browser. Nothing you do on any website is any longer safe.
Not that I don’t think that Google should pay more attention to the apps in the Play Store. But allowing extensions to hide their functionality with remote code is plain negligent.
On one hand yes those are malicious extensions. On the other Google policy states any code not originating from Google server is remote code, even code on my own hard drive. Its my computer and I should have ultimate choice. No amount of headers send by the server should be able to override My User Agent behavior against my will.
Its hard to easily reconcile those two points of view, but solution other than Google has the final say has to be found. If I wanted a nanny I would be using Apple products.
I use firefox extensions like ublock origin with safari on my iPhone. (Using Orion by Kagi.)
I get that extensions are scary & dangerous, but it's absurd to me that dynamic code is now verboten.
Your header issue doesn't totally click with me. Because it seems like a separate issue. I agree you should have the day over your user agent! But an extension executing remote code doesn't seem to be a factor.
Remote code means that we can't create extensions with pluggable modularity. We can't build an Yahoo Pipes like thing in the browser. We can't have a repo of cool features that users load into their extensions. Everything has to be made in advance.
So much of the awesomeness of the web is that it's live systems, love code, not dead systems dead code. It's a flexible system. Demanding that extensions have only fixed function dead code eliminates so many possibilities, makes the extension so many million degrees less capable and powerful than the web they are supposed to bestow agency into. (Forgetting the other influences but the alive vs dead systems showed up 2yr ago in Stop writing dead programs, https://jackrusher.com/strange-loop-2022/ https://news.ycombinator.com/item?id=33270235 )
Its absolutely fucking rip roaringly bullshit that remote and dynamic code is prohibited in extensions. I'm fine with it as a default, as requiring some special setting or mode to be flipped, warnings to be clicked through. But it's just such horrible thing to main user agency so blankety, to demand agency be channeled through dead code.
Header issue is essential for things like Greasemonkey/Tempermonkey. Cant run own scripts without overriding CSP headers.