Leinad | # 1 | 2013-12-14, 00:34 | Report

Sorry, this may have been discussed in seperate threads before, but i think, it needs an own thread:

as rainisto said, there is no NSA backdoor in Sailfish, thanks for that!

...but what about the typical "fart app" usecase? can some stupid android app read your complete device and send the data to some suspicious server or is such thing completely impossible?

... and what about native apps? is there some control or do you just have to be faithfull and trust every native app automatically?

i never had a problem with that on Fremantle / Harmattan, but i can imagine, Sailfish will become much more popular, hence much more attractive to possible "attackers"...

szopin | # 2 | 2013-12-14, 00:38 | Report

Android apps will not have access to sailfish native data (nemo-user guid vs privileged IIRC), no worries about background calls/sms too, no way to call/send text without user physically hitting the button and all attempts to call should invoke native dialer/texter (all this is from the user experience/cancelled preorder and tracking numbers threads). Not sure if android apps have their own storage for such data that can be 'flashlighted' away

coderus | # 3 | 2013-12-14, 03:47 | Report

if you never enable developer mode you can no worry about that.

HtheB | # 4 | 2013-12-14, 08:46 | Report

But that means no contacts will be visible like on Whatsapp/Viber/Tango?

Dave999 | # 5 | 2013-12-14, 08:55 | Report

All devices have back doors. It's just that you don't know about the holes yet.

misterc | # 6 | 2013-12-14, 10:14 | Report

¦-)))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))))))))))))

which button are you talking about, exaclty...

• volume up / down
• power / (un-)lock

?????

any way, hacking into 50'000+ devices at an early alpha stage (except for the UI which seems to be fairly smooth... do i sense the usual nemo / Mer C like crap here?!? community = NOT working ) does not make much sense for any hacker, just not worth the effort considering the development needed to get it done

couple thoughts about posts on this thread...

• Jolla themselves said last spring when presenting their 1st device that they would present a "cheaper" device (w/out TOH) in 1st ½ of 2014
  considering time to get 1st device into customers' hands, we might see another "popular" Jolla device in a years' time...
• why o why would any consumer in his right mind install Sailfish OS on any device?!?
  UI is fairly smooth (with Sailfish apps) but again, the mer community / crap
  could blame Jolla for NOT porting back more; or simply developing everything themselves, professionally?!?
  i mean, look @ it... UI close to 100% (it's Quality, not quantity but still, it pays off) OS... nothing! boots up, but that's about it
  
• & here the last, sorest point... why would an average consumer buy a Jolla device? for the Android apps? come on! i have a SGT2-7 since a few months and even though (coming from a N9!) it took a few hrs to get used to Sailfish's swipe / pull and it's apps specifics, compared to the Droid mess... day and night.
  still, the whole package is simply in an too early stage to be prime time ready...

EDIT: typo

---

Last edited by misterc; 2013-12-14 at 10:24.

rainisto | # 7 | 2013-12-14, 10:33 | Report

No it does not mean that, Android apps like Whatsup will have readonly access to _local_ contacts db (but not to privileged facebook etc contacts) in coming sw updates.

So yes, in future Android malware might be able to steal your local contacts but the same malware most likely can steal the same data on any Android device (but its still not able to make phonecalls nor send sms'es without user interaction). As the things that can cause you loose real money is the thing that we try to protect better. And even when contact data is valueble, protecting that too tightly eats usability from Whatsup like applications. So installing random apk packages blindly from Internet is your own decision as they will have readonly access to unprotected nemo data (but we do protect that android apps cannot send hidden sms'es nor make phonecalls.).

Also at some point in the future you might also be able to choose if some contact is local or privileged.

N900 and N9 sold seven figure amounts and didn't have problem with malware, so I doubt that malware writers will bother looking into Sailfish OS untill our sales figures have reached the same (or have reached 8 or 9 figures). And if some day someone releases 1st Sailfish specific malware application, then we will react to it and tighten the holes if need be. Untill that this all is just specilative ranting.

Linux generally is quite open system with Unix directory permissions (and you don't see that much malware in there), and we are trying to follow those footsteps (+ protecting hidden phonecall / sms sending).

---

Last edited by rainisto; 2013-12-14 at 11:03.

TMavica | # 8 | 2013-12-14, 10:52 | Report

Maybe Whatsapp made a official client for sailfish

juiceme | # 9 | 2013-12-14, 11:25 | Report

Now I wonder what's the cause of this vocal eruption?
AFAIK the device being Mer-based is one of the real reasons I was intrested in it in the first place
The UI is nice but the openness/hackability is the prime attraction fature for me.

szopin | # 10 | 2013-12-14, 23:46 | Report

I was wondering about this too, but I think rainisto said so in one of the beforementioned threads. Sure you could simulate touch-screen interaction software wise, but really doubt any such thing can come through from AlienDalvik, so at least Android malware is out of the question. Now if you install all apps from extras-devel that have no source available, you might have a problem. EDIT: just got to rainisto's comment, so it looks like readonly access, and not exactly out of the question. Don't like the comment about 7 figure amounts, maybe I read it wrong, but device rarity is not an argument, obscurity-security... yeah and especially since Jolla could make this a very strong selling point PR wise with all the NSA stuff being frontpaged daily now

To a hacker, yeah, to an organization that makes its living by spying, early access or early backdoor implementation could be considered a key asset. Think about it, new device, all Snowdens of the world are gonna use it because it is new and from outside of US. Very hot cake

---

Last edited by szopin; 2013-12-15 at 00:04.