This morning Slashdot linked to an article talking about spyware in Android applications... this made me think, are we N900 owners just as vulnerable to spyware-ridden evil malicious applications as the Android folks? I wonder how many N900 users here actually do source code analysis on applications they install from the 'extras' and 'extras-devel' and 'testing' repositories. I understand the N900 user base is a lot more tech savvy than the Android user base, but who, if anyone is checking the latest and greatest non-Nokia applications for the N900?

"A fifth of Android apps expose private data. The Android market threat report details the security issues uncovered. "

http://yro.slashdot.org/story/10/06/23/1429249/Fifth-of-Android-Apps-Expose-Private-Data

The report is here: http://threatcenter.smobilesystems.com/wp-content/uploads/2010/06/Android-Market-Threat-Analysis-6-22-10-v1.pdf

As vulnerable as any other computer. I doubt most people do extensive analysis, so it's entirely possible. At the very least, programs that have their sources in the repository can be looked at whereas closed Android software can't.

For the N900 however, the smaller user base and slightly higher barrier for app creation generally makes mostly useless data sniffing apps not very valuable.

It could be worse, your OS could be spying on you for advertising purposes ;)

Unlikely, but Nokia have taken to including their own: https://bugs.maemo.org/show_bug.cgi?id=10366

Well ever since PR1.2, N900 comes with in-built spyware. Its called "MyNokia". ;D

It could be worse, your OS could be spying on you for advertising purposes ;)

I doubt we'll have to worry about PR1.3 introducing nAds support. ;)

As for spyware, I'm sure it's possible. One of the nice parts about the garage system though is that it builds the debs from the source in the garage. So if you want to, you can always look at the code. I suspect if something like that were to happen, eventually it would be picked up (like the MyNokia thing was) and a huge stink would be raised about it, with proof in the form of source code.

As for reviewing, I know I looked through the code in the garage for a few apps I was "worried" about that need passwords (for things like IM services and the like). I'm sure most don't bother, but there are at least a few people on here that tend to do that, which is often enough to catch something like this early on.

I also think most people here are developing for the N900 because they have one, and want to make the device/community/experience richer. Not just developing to make themselves richer, like on other socially popular commercial platforms. It's a different mind set, and because of that the risk is lower.

Well, it comes from a long way - older Windows had inbuilt Alexa.

Anyway, spyware is possible anywhere - its a question of a choice.

First, what are in "normal" repositories gets in some stage approved to be there. And usually the program is with full source. Can't ask normal users that check source of every app they install, not even the ones that vote for them, but the possibility is there,and if the license is one that implies the source, that will make even harder to sneak something.

Of course, that dont take out what happens if i announce an exciting new app that should be downloaded from my web page from binaries instead of a repository. And not sure if there is a policy to put binary only debs on normal repositories. In such cases there are no validation if they are spyware or something worse.

Also,could happen with what is in Ovi store, but in that case who posted it is identified, so odds should not be high in that case.

I asked the same question in a red hat (hackers) meeting. The short answer was "Who dare".

Say, do you want someone order a dozen box of viagra for you, with your credit card, everyday? XD

sure its possible, but as with most of this stuff its about effort vs return

given the small n900 user base, most of which are very technically literate and competent, do you think there is a big return on writing spyware for the n900 ?

most likely not - unless you have some grudge/reason for targetting n900 users _specifically_

one of the benefits of using a dead platform lol (and I am not being sarcastic)

I doubt we'll have to worry about PR1.3 introducing nAds support. ;)


lol, nads - i'm such a child ;o)

I asked the same question in a red hat (hackers) meeting. The short answer was "Who dare".

Say, do you want someone order a dozen box of viagra for you, with your credit card, everyday? XD
One of the first things you're taught at any capable IT university: Don't mess with hackers unless you're way better than them. And even then, prepare for a long, hard fight. :D

My guess is that they were Red Hat hackers, not Black (or White) Hat crackers.

There's not need for segmentation. Any group of hackers (not crackers, but tech savvy people who hack away on their keyboard with at least 300bpm) is dangerous to mess with. You're bound to have at least a handful of people in there who know quite well how to get back at you, and by attacking first there's not code of honour to keep you save anymore.

I know *I* would definitely not dare to upload any spyware on here. :P