Menu

Main Menu
Talk Get Daily Search

Member's Online

    User Name
    Password

    Sailfish: Security / Privacy

    Reply
    Page 1 of 2 | 1   2   | Next
    Leinad | # 1 | 2013-12-14, 00:34 | Report

    Sorry, this may have been discussed in seperate threads before, but i think, it needs an own thread:

    as rainisto said, there is no NSA backdoor in Sailfish, thanks for that!

    ...but what about the typical "fart app" usecase? can some stupid android app read your complete device and send the data to some suspicious server or is such thing completely impossible?

    ... and what about native apps? is there some control or do you just have to be faithfull and trust every native app automatically?

    i never had a problem with that on Fremantle / Harmattan, but i can imagine, Sailfish will become much more popular, hence much more attractive to possible "attackers"...

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following 3 Users Say Thank You to Leinad For This Useful Post:
    fw190, RX-51, ste-phan

     
    szopin | # 2 | 2013-12-14, 00:38 | Report

    Android apps will not have access to sailfish native data (nemo-user guid vs privileged IIRC), no worries about background calls/sms too, no way to call/send text without user physically hitting the button and all attempts to call should invoke native dialer/texter (all this is from the user experience/cancelled preorder and tracking numbers threads). Not sure if android apps have their own storage for such data that can be 'flashlighted' away

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following 4 Users Say Thank You to szopin For This Useful Post:
    fw190, Leinad, minimos, tissot

     
    coderus | # 3 | 2013-12-14, 03:47 | Report

    if you never enable developer mode you can no worry about that.

    Edit | Forward | Quote | Quick Reply | Thanks

     
    HtheB | # 4 | 2013-12-14, 08:46 | Report

    Originally Posted by szopin View Post
    Android apps will not have access to sailfish native data (nemo-user guid vs privileged IIRC), no worries about background calls/sms too, no way to call/send text without user physically hitting the button and all attempts to call should invoke native dialer/texter (all this is from the user experience/cancelled preorder and tracking numbers threads). Not sure if android apps have their own storage for such data that can be 'flashlighted' away
    But that means no contacts will be visible like on Whatsapp/Viber/Tango?

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following User Says Thank You to HtheB For This Useful Post:
    Leinad

     
    Dave999 | # 5 | 2013-12-14, 08:55 | Report

    All devices have back doors. It's just that you don't know about the holes yet.

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following User Says Thank You to Dave999 For This Useful Post:
    fw190

     
    misterc | # 6 | 2013-12-14, 10:14 | Report

    Originally Posted by szopin View Post
    [...] no worries about background calls/sms too, no way to call/send text without user physically hitting the button [...]
    ¦-)))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))))))))))))

    which button are you talking about, exaclty...
    • volume up / down
    • power / (un-)lock
    ?????

    any way, hacking into 50'000+ devices at an early alpha stage (except for the UI which seems to be fairly smooth... do i sense the usual nemo / Mer C like crap here?!? community = NOT working ) does not make much sense for any hacker, just not worth the effort considering the development needed to get it done

    couple thoughts about posts on this thread...
    • Jolla themselves said last spring when presenting their 1st device that they would present a "cheaper" device (w/out TOH) in 1st ½ of 2014
      considering time to get 1st device into customers' hands, we might see another "popular" Jolla device in a years' time...
    • why o why would any consumer in his right mind install Sailfish OS on any device?!?
      UI is fairly smooth (with Sailfish apps) but again, the mer community / crap
      could blame Jolla for NOT porting back more; or simply developing everything themselves, professionally?!?
      i mean, look @ it... UI close to 100% (it's Quality, not quantity but still, it pays off) OS... nothing! boots up, but that's about it
    • & here the last, sorest point... why would an average consumer buy a Jolla device? for the Android apps? come on! i have a SGT2-7 since a few months and even though (coming from a N9!) it took a few hrs to get used to Sailfish's swipe / pull and it's apps specifics, compared to the Droid mess... day and night.
      still, the whole package is simply in an too early stage to be prime time ready...

    EDIT: typo

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by misterc; 2013-12-14 at 10:24.
    The Following User Says Thank You to misterc For This Useful Post:
    szopin

     
    rainisto | # 7 | 2013-12-14, 10:33 | Report

    Originally Posted by HtheB View Post
    But that means no contacts will be visible like on Whatsapp/Viber/Tango?
    No it does not mean that, Android apps like Whatsup will have readonly access to _local_ contacts db (but not to privileged facebook etc contacts) in coming sw updates.

    So yes, in future Android malware might be able to steal your local contacts but the same malware most likely can steal the same data on any Android device (but its still not able to make phonecalls nor send sms'es without user interaction). As the things that can cause you loose real money is the thing that we try to protect better. And even when contact data is valueble, protecting that too tightly eats usability from Whatsup like applications. So installing random apk packages blindly from Internet is your own decision as they will have readonly access to unprotected nemo data (but we do protect that android apps cannot send hidden sms'es nor make phonecalls.).

    Also at some point in the future you might also be able to choose if some contact is local or privileged.

    N900 and N9 sold seven figure amounts and didn't have problem with malware, so I doubt that malware writers will bother looking into Sailfish OS untill our sales figures have reached the same (or have reached 8 or 9 figures). And if some day someone releases 1st Sailfish specific malware application, then we will react to it and tighten the holes if need be. Untill that this all is just specilative ranting.

    Linux generally is quite open system with Unix directory permissions (and you don't see that much malware in there), and we are trying to follow those footsteps (+ protecting hidden phonecall / sms sending).

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by rainisto; 2013-12-14 at 11:03.
    The Following 16 Users Say Thank You to rainisto For This Useful Post:
    b.cloanta, HtheB, Leinad, MartinK, mattaustin, mikecomputing, mrsellout, mve, Naranek, rcolistete, RX-51, szopin, tangent, thedead1440, XiliX, zamorph

     
    TMavica | # 8 | 2013-12-14, 10:52 | Report

    Maybe Whatsapp made a official client for sailfish

    Edit | Forward | Quote | Quick Reply | Thanks

     
    juiceme | # 9 | 2013-12-14, 11:25 | Report

    Originally Posted by misterc View Post
    ... uttered a lots of Nemo/Mer bashing and insults ...
    Now I wonder what's the cause of this vocal eruption?
    AFAIK the device being Mer-based is one of the real reasons I was intrested in it in the first place
    The UI is nice but the openness/hackability is the prime attraction fature for me.

    Edit | Forward | Quote | Quick Reply | Thanks
    The Following 2 Users Say Thank You to juiceme For This Useful Post:
    MartinK, mrsellout

     
    szopin | # 10 | 2013-12-14, 23:46 | Report

    Originally Posted by misterc View Post
    ¦-)))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))))))))))))

    which button are you talking about, exaclty...
    • volume up / down
    • power / (un-)lock
    ?????
    I was wondering about this too, but I think rainisto said so in one of the beforementioned threads. Sure you could simulate touch-screen interaction software wise, but really doubt any such thing can come through from AlienDalvik, so at least Android malware is out of the question. Now if you install all apps from extras-devel that have no source available, you might have a problem. EDIT: just got to rainisto's comment, so it looks like readonly access, and not exactly out of the question. Don't like the comment about 7 figure amounts, maybe I read it wrong, but device rarity is not an argument, obscurity-security... yeah and especially since Jolla could make this a very strong selling point PR wise with all the NSA stuff being frontpaged daily now

    Originally Posted by
    any way, hacking into 50'000+ devices at an early alpha stage (except for the UI which seems to be fairly smooth... do i sense the usual nemo / Mer C like crap here?!? community = NOT working ) does not make much sense for any hacker, just not worth the effort considering the development needed to get it done
    To a hacker, yeah, to an organization that makes its living by spying, early access or early backdoor implementation could be considered a key asset. Think about it, new device, all Snowdens of the world are gonna use it because it is new and from outside of US. Very hot cake

    Edit | Forward | Quote | Quick Reply | Thanks

    Last edited by szopin; 2013-12-15 at 00:04.
    The Following User Says Thank You to szopin For This Useful Post:
    misterc

     
    Page 1 of 2 | 1   2   | Next
vBulletin® Version 3.8.8
Normal Logout