Re: Sailfish on Turing Phones?
 

No need to be right or wrong here, since all info is inconclusive :D

one day it's android, next day sailfish. then its google play and next day its not, One day its promised to be shipped next day its not... ;)

Re: Sailfish on Turing Phones?
 

What I don't get:

Turingphone is advertising a "secure" phone.

But Sailfish OS as of today is nothing secure at all: the disk is not encrypted and screenlocking is only half baked. Anyone can just connect via USB and read all data in cleatext.

Re: Sailfish on Turing Phones?
 

… yet there's no known malware, and afaik Sailfish is quite up-to-date with security patches for CVE's. Unlike most Androids.

Also, who knows what they have coming? Things like full device encryption don't seem to be too hard using the default Linux tooling (which does beg the question why it still isn't in our devices). And Jolla was touting extra security features from the SSH-guys. Perhaps they sold that to Turing? Indeed it remains to be seen what of that is going back upstream.

Re: Sailfish on Turing Phones?
 

Security via obscurity?

Any device that you can get your hands on is susceptible to exploits. The lock screens, et al... those are nice. But if I have access to a device, I'd not say that it's entirely safe by no stretch of the imagination.

Besides... where's the user rights exploits? The trojans? The browser exploits? iOS and Android have plenty of those. None so far for Sailfish.

I'd still not say it's "secure" but there's no USB connector on the Turing phone - well, there's the proprietary connector. But you're right about the lack of encryption.

Edit: Crap, didn't see the above post.

Re: Sailfish on Turing Phones?
 

That's a fairly tall order, how are you going to do that?

I assume you are talking about the case that user has set up the USB port in "automatic filesystem export" mode. And even in that case I think you cannot access anything if the device is locked, right?
(at least SSH via USB cannot connect to device when it is locked... I am not sure about the disk export because I don't use that.)

If you have bootlock in the device there's not possibility for Evil Maid attack either.

Just about the only way to get at some data is to remove the SD card, and if you do not have that encrypted.... well that's your problem then. :D

And BTW, this is all beside the point anyway; The rumoured "Turing Phone" if it ever exists is without USB and without SD card so those attack vectors are out-of-scope....

Re: Sailfish on Turing Phones?
 

Could be performance reasons or just plain lack of time. But indeed using LUKS for the encryption should be quite simple.

I kinda remember that the Jolla Tablet was supposed to have that, but who knows if it was actually implemented in the end.

Re: Sailfish on Turing Phones?
 

CVE patches are released only on updates and not as a patches.
If Android is more popular and thus has more malware doesn't mean Sailfish is more secure. Sailfish can run Android apps and as there is no official Google store and people are getting apk from internet shady sites - same chances to get malware as on Android.
There are vulrnabilities and malware on Linux today and thus on Sailfish.
It's not less secure than android but is not more secure as well (especially with no per app permissions support).
But yes "Android is baaaaaad!!! boooooo!!! Sailfish is more linux and this means be default is better"

Re: Sailfish on Turing Phones?
 

Regarding security; all security measures are only as strong as the weakest link in the system and we DO know fairly certainly that for all systems designed to be operated by humans it is always the human part.

Any security measures that are built into devices will be subverted by the users if they require to do that in order to adapt the said devices to their use patterns.

Hence I believe it is out-of-scope to try to compare which systems or devices are "by themselves" more secure; it would be more appropriate to compare which systems could be easily used as secure environment, given a hypotethical user-who-understands-security-concerns...

Re: Sailfish on Turing Phones?
 

If I have device encryption an the device is locked normally noone should be able to access mmy data.
Sailfish doesn't even have this possibility. That's a shame.

Re: Sailfish on Turing Phones?
 

Just out from interest, if you have device locked how is someone going to access your data?

The most effective way that I know is to open the device and directly access the memory chip. Mind you, it might well be popchip when you canot even get at the die witout etching open the package...
What else, maybe interface to internal serial IO or JTAG? or maybe FBUS? Do you know how to do that?