How about keeping it in the scope.
a) There won't be any default services running on the public IPs of the phone, if they are that's just insane from Nokia side of things

b) dial-in you seem to have this misperception that these things work out of the box with no setting it up and so on? They don't.

So yes I'm not worried about remote exploits in the form of services running on the phone. As it's locked down quite well.


You seem to think you can login to any user that doesn't have a password set. Having a blank password and not having one set are two very different things.

When one is not set usually there is some char: ! or x where the password should be. So no matter what you try you will fail to authenticate.

You also have this misconception that all the features of grsec/selinux/rbac/etc... will give you some magical security bullet if you run the device without a firewall or any other basic pre-existing security setups.

Security is a process not a state.

a) don't run external services - this is the easiest one to do
b) have a firewall in place that by default blocks anything unrelated coming in - not that hard to do as well
c) set a root pw - a default one doesn't make sense but generating a password based on wlan mac+imei+something else as salt for it could do well.
d) consider what most users will be doing with the device(I mean most not those like myself that will run various things like openssh and openvpn on it). They'll be uploading photos, using maps, chatting etc. And won't worry about all that security stuff.
e) all the hardened security ideas are there really if you have a firewall/router that's running linux, or running services that are exposed to the outside.
f) And in the end this should still be the users choice. If they want to run something secure they should be the one to do so.

I would have to say there's a greater possibilty of something coming in through an SMS than through IP.

If you are worried about local exploits then you have much bigger problems than a simple security issue.

It's simple: do you trust the app that you are installing. If you don't then don't install it. What's so hard about it. Yes apps should possibly be veted through some security checks and so on but that won't catch everything. But adding I don't know what extra security checks for such things doesn't make sense unless it's something of real importance.

I would consider encrypted data store, and an easy OTA backup/sync a more pressing need. That way if you need to ever restore the system you still have everything.

In my book privacy and personal control trump security each and every time.