Active Topics
-
Firefox with Leste (10)
to Maemo 7 / Leste by teroyk - 2 days, 16 hrs ago - more...
 |
|
2016-08-09
, 07:40
|
|
Posts: 7,074 |
Thanked: 9,069 times |
Joined on Oct 2009
@ Moon! It's not the East or the West side... it's the Dark Side
|
#12
|
Originally Posted by coderus
No, tanks I pass. But it would be nice if they updated drivers.
100USD for Jolla exploit. Anyone?
__________________
Do something for the climate today! Anything!
I don't trust poeple without a Nokia n900...
Do something for the climate today! Anything!
I don't trust poeple without a Nokia n900...
 |
|
2016-08-09
, 07:41
|
|
Posts: 1,478 |
Thanked: 9,871 times |
Joined on Dec 2008
@ Shanghai / London
|
#13
|
I wish this came out earlier so I could root my already sold BB priv and have some real use of the device.
Why folks in general so afraid of root? It's not root causing the breach it's the app that takes advantage of the root am I understand correctly? So even you are "affected" just don't install anything that you don't trust that's all.
Why folks in general so afraid of root? It's not root causing the breach it's the app that takes advantage of the root am I understand correctly? So even you are "affected" just don't install anything that you don't trust that's all.
 |
|
2016-08-09
, 07:58
|
|
Posts: 6,447 |
Thanked: 20,981 times |
Joined on Sep 2012
@ UK
|
#14
|
Originally Posted by juiceme
But that's exactly my point! You do not need to exploit any vulnerability or become root to do any of the things you mention.
On a more-or-less standard Android device this attack might be rolled into a generic package that can take control of the device and either used to leak data or use it as a part of a botnet.
I know that especially Linux users like to think in terms of root vs non-root and yes, root can cause a damage to the system, but the days when the system was the part worth protecting are gone by at least two decades. Wake up to the 21st century, people. The system is replaceable. The bits that need protecting are your user data. Those do not need a root access to be compromised.
Originally Posted by juiceme
Again, my argument is that you are not safe. You might be safe from an overhyped threat of the week but you are totally unprotected against any potential malicious activity any native Sailfish application may want to do. (Case in hand: the flashlight app, the first Sailfish malware that sprung up just weeks after Sailfish was first released.)
TLDR; probably you are safe in any case. If you do not install Alien Dalvik at all, you certainly are safe.
__________________
Русский военный корабль, иди нахуй!
Русский военный корабль, иди нахуй!
| The Following 9 Users Say Thank You to pichlo For This Useful Post: | ||
|
|
2016-08-09
, 09:24
|
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#15
|
Originally Posted by pichlo
Actually, on an unrooted & uncompromised Android device you cannot do that much damage or leak personal information;
Originally Posted by juicemeBut that's exactly my point! You do not need to exploit any vulnerability or become root to do any of the things you mention.On a more-or-less standard Android device this attack might be rolled into a generic package that can take control of the device and either used to leak data or use it as a part of a botnet.
I know that especially Linux users like to think in terms of root vs non-root and yes, root can cause a damage to the system, but the days when the system was the part worth protecting are gone by at least two decades. Wake up to the 21st century, people. The system is replaceable. The bits that need protecting are your user data. Those do not need a root access to be compromised.
Case in point, something like an year ago a friend asked me to backup messages from her device. The phone was unrooted older Samsung Galaxy model, and I had really hard time breaking into the darn thing to gain access to the messages without wiping the device in the process. (when bootloader is unlocked it would wipe it, and have you ever tried rooting a device when bootloader is locked, hmm...)
Anyway, only signed and trusted applications can access the personal information storage which is root accessible only.
Originally Posted by pichlo
On SFOS the thing is a bit different, all user private data is under the home directory and almost all of it is accessible with nemo user permissions. With a malicious application it is quite easy to mess up or exploit anything.
Originally Posted by juicemeAgain, my argument is that you are not safe. You might be safe from an overhyped threat of the week but you are totally unprotected against any potential malicious activity any native Sailfish application may want to do. (Case in hand: the flashlight app, the first Sailfish malware that sprung up just weeks after Sailfish was first released.)TLDR; probably you are safe in any case. If you do not install Alien Dalvik at all, you certainly are safe.
However you cannot (at least not easily) incorporate rootkit-like functionality into an application submitted to the Jolla Harbour as the needed library interfaces are not permitted in applications;
A rogue application might steal your data, but it cannot modify system so that it hides a backdoor and refuses to uninstall, for example.
All bets are off, of course when you install apps from other sources. That's why I have a simple rule for myself; only install what you yourself have built and check the projects for funny business before you do so.
|
|
2016-08-09
, 10:13
|
|
Posts: 6,447 |
Thanked: 20,981 times |
Joined on Sep 2012
@ UK
|
#16
|
Originally Posted by juiceme
Really? Then why does virtually every single game my kids install on their tablets have "access to your contacts" on their permissions list?
Actually, on an unrooted & uncompromised Android device you cannot do that much damage or leak personal information;
It may not be easy for you, the user, to access your own data. But it is easy for anyone else. Go figure.
__________________
Русский военный корабль, иди нахуй!
Русский военный корабль, иди нахуй!
| The Following 5 Users Say Thank You to pichlo For This Useful Post: | ||
 |
|
2016-08-09
, 10:27
|
|
Posts: 4,118 |
Thanked: 8,901 times |
Joined on Aug 2010
@ Ruhrgebiet, Germany
|
#17
|
Originally Posted by juiceme
About this I would like to know more!
...
Case in point, something like an year ago a friend asked me to backup messages from her device. The phone was unrooted older Samsung Galaxy model, and I had really hard time breaking into the darn thing to gain access to the messages without wiping the device in the process. (when bootloader is unlocked it would wipe it, and have you ever tried rooting a device when bootloader is locked, hmm...)
Anyway, only signed and trusted applications can access the personal information storage which is root accessible only.
...
__________________
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
SIM-Switcher, automated SIM switching with a Double (Dual) SIM adapter
--
Thank you all for voting me into the Community Council 2014-2016!
Please consider your membership / supporting Maemo e.V. and help to spread this by following/copying this link to your TMO signature:
[MC eV] Maemo Community eV membership application, http://talk.maemo.org/showthread.php?t=94257
editsignature, http://talk.maemo.org/profile.php?do=editsignature
Last edited by peterleinchen; 2016-08-09 at 10:39.
|
|
2016-08-09
, 11:33
|
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#18
|
Well, when you install an application it will tell you what priviliges are required for it to run, right? I am not sure how the QC is set up at Google Play so is it possible to device an application so that it utilizes a capablity it does not advertise at install time.
If the device is fully locked down you can only install applications from the store that is installed to the device.
If the device is fully locked down you can only install applications from the store that is installed to the device.
| The Following 3 Users Say Thank You to juiceme For This Useful Post: | ||
|
|
2016-08-09
, 11:40
|
|
Community Council |
Posts: 4,920 |
Thanked: 12,867 times |
Joined on May 2012
@ Southerrn Finland
|
#19
|
Originally Posted by pichlo
Exactly as you say: have "access to your contacts" on their permissions list
Originally Posted by juicemeReally? Then why does virtually every single game my kids install on their tablets have "access to your contacts" on their permissions list?Actually, on an unrooted & uncompromised Android device you cannot do that much damage or leak personal information;
The applications CAN get your data if it says so in their permission list.
It has been stated so many times it is a bad practice to have any random fartapp and flashlight to request full range of permissions but the only thing an user can do is to not install the application.
I'd imagine it is probably not worth for Google to enforce application developers to only request minimum permissions needed for the application to operate
| The Following 6 Users Say Thank You to juiceme For This Useful Post: | ||
|
|
2016-08-09
, 13:11
|
|
Posts: 6,447 |
Thanked: 20,981 times |
Joined on Sep 2012
@ UK
|
#20
|
Originally Posted by juiceme
Not if Google itself churns out applications requesting the full shebang of permissions without any obvious reason. I mean, I can understand that e.g. Maps might want to read your location. But why on earth would it need an access to your call history or camera?
I'd imagine it is probably not worth for Google to enforce application developers to only request minimum permissions needed for the application to operate
Regarding the case being discussed, sorry if I did not express myself clearly enough. I am not saying that every user application can compromise your identity (well, it can on Sailfish, but not on Android). I am saying that users want to run this fartapp, play this game or whatever and so they grant it whatever permissions it asks. Then, once installed, the application can do whatever it pleases with your sensitive data.
How is QuadRooter different? It also needs you to install something. As you correctly point out, it could potentially grant itself permissions not advertised at the time of installation, BUT the point is, you still need to install it first. So the would be attacker needs to make it look attractive enough to lure the users into installing it. This is where the hard work is: making the app attractive. Not exploiting the vulnerability. If the app looks attractive enough, users will give it whatever permission it wants. They mostly treat the warning box as a nuisance that stands in the way anyway and just click it through. To that class of users (i.e. about 99% of them), QuadRooter poses no additional risk than what they expose themselves willingly every day already.
__________________
Русский военный корабль, иди нахуй!
Русский военный корабль, иди нахуй!
| The Following 3 Users Say Thank You to pichlo For This Useful Post: | ||
Telegram | Openrepos | GitHub | Revolut donations