Not exactly but almost.

A must-have-fartapp claiming it needs only access to the 'noise system' may get all the access it wants with that exploit.

No, and 1000 times no. The "library whitelist" in the Jolla Store basically exists out of some (in my opinion, as discussed almost two years ago, misguided) concern about binary compatibility with future SailfishOS versions.

It does absolutely nothing regarding security.

I mean, just look at what most people do to escape the library whitelist: statically link to whatever library they feel like.



Security in Sailfish basically comes to the separation between 3 users: root, privileged, and nemo.
- Root is "I just bricked your device by accident" level
- Privileged is "I can email your address book to china" level.
- Nemo is "I can convert your phone into a major spam-sending operations center, break havoc in all your other running applications, including reading their data (since you can ptrace them), but at least you may not be able to easily read the stock sailfish contacts database, and hopefully not brick the device".

Curiously enough it seems that all of this was done more to satisfy Exchange requirements than for security/privacy reasons.

Applications in the store are limited to the "nemo" level mostly because install scripts are forbidden (thus you cannot run stuff as root during install time, and therefore you cannot set the setuid bit on files).

This protection is not extended to random .rpm files. Those immediately get to the "root" level already during install time.

I have no idea how much sandboxing is done in AlienDalvik (it is proprietary) but my wild guess is also "none".

Sorry but also wrong.


There's still a _huge_ difference between "oh, perhaps this thing deleted all my documents" and "oh, perhaps this thing deleted all my documents, corrupted my word processor so as to silently capture all my future keystrokes and insert random typos and/or menacing insults, backdoor every other program, insert a non-removable piece of itself on my firmware, which will corrupt every future backup disk I insert on my computer while trying to restore my documents (worse: do it silently), propagate itself through my cloud backup systems (if I have any) to my other computers, corrupt any type of version history-like backup system (e.g. time machine) that would have allowed me to undo the actions of the malware, etc. etc. long etc.".

Things have not changed that much in the 21st century. Not in this area. It is one thing when malware/an accident can destroy your documents. It is another thing when malware/an accident can destroy your documents, anyone else's, and the operator's backups.

So much wrong here...

Can we do anything to to protect device other than not using jolla or android?

How is this related to "not using jolla or android"?
Or to any other system, maybe "not using iOS" also?

There is a simple rule that you should follow. Really simple, and it works perfectly; Just-Do-Not-Install-Crap-On-Your-Device.

Yes. We need a crapless device!

Yeah - it basically comes down to accepting random binaries from random people, which is really not a good idea unless you have a very good sandboxing.

And good sandboxing that does not reduce all applications to toys due to blocking critical functionality is hard...

That's why most "normal" Linux distros accept software to their repositories in a source form only & require it to built on the distro managed infrastructure. While this is also not foolproof (you would have to read & audit the complete source code of all the software you accept to be 100% sure), it's still much better than accepting random binaries.

I would kinda assume it at least does the standard Android sandboxing (running apps separately, each, under it's own user, etc.). On the other hand it is indeed proprietary, so all bets are off - they might as well have left it out to make the emulation easier/faster etc. And we have no way (well, no easy way) of checking for that.

use N3315 and your data safe, your contacts safe, win win solution.

I've halfway been expecting chipset exploits for quite a while. Exciting times we live in...

not a big issue... you can patch all the vulnerabilities... there's an app that let's you kno if your kernel is vulnerable http://blog.checkpoint.com/2016/08/07/quadrooter/ for android... same link from first post.

next... only owners with ancient OS"s will be really effected... too bad.