How can I trust the apps in the Jolla Store?

asked 2015-12-19 22:07:41 +0300

Laura
566 ●9 ●14 ●17

updated 2016-08-04 15:59:52 +0300

jiit

2678 ●32 ●58 ●59

admin

My Jolla Phone being delivered last week, I searched the Jolla Store for some apps I need or like to have. But there's no information provided on the privileges an app needs to work. Jolla does not even inform customers about the tests apps need to pass before they become available in the store. So I doubt they are checked for viruses, spyware and so on.

Furthermore I can't download the installation files and upload them to an online malware scanner before I install the apps. There's also no way to install the apps into a sandbox first and observe their behaviour with a tool myself.

So by now I have only installed some of the apps offered directly by Jolla. (If I decided not to trust the company I shouldn't use the phone/Sailfish OS at all.) But Jolla only offers very few apps and I feel I need some more.

So what are my possibilities to find out whether to trust or not to trust a specific app available in the store?

Please don't get me wrong. This is no offense. I like my new Jolla Phone. And I do also appreciate the hard work of developers offering useful apps in the store. I am just used to being careful with what I download. And on a mobile phone it seems to me to be even more important to take care about that, because I am not able to protect my personal data on the phone as well as on my computer.

edit retag flag offensive close delete

Comments

Hi, welcome to TJC @Laura

Your worry is really unwarranted.

See this thread from here on TJC; https://together.jolla.com/question/17308/sailfish-os-protection/ and here; https://jolla.zendesk.com/hc/en-us/articles/202497256#antivirus and sublte mentions of 'no need' from here; http://comments.gmane.org/gmane.comp.handhelds.sailfishos.devel/2817

Regards,

Spam Hunter ( 2015-12-19 23:05:23 +0300 )edit

Thanks for the links, Markkyboy. I've spent some time in reading the sites.

"There are multiple concepts [for protecting Sailfish OS] available that can be taken into use if problem arises. And some of the enablers are already in the firmware. So we should be able to react quickly if need be."

It's good to know that Jolla is prepared to fight against malware that is trying to infect the system even before any is developed.

Laura ( 2015-12-20 00:47:43 +0300 )edit

@Markkyboy,

Your worry is really unwarranted.

Really? Have you forgotten Flashlight, the first Sailfish malware that appeared in Harbour just weeks after the launch?

In fact, there is no security in Sailfish whatsoever. Just like there is no security in Linux as such. The only "security" to speak of is security through obscurity: you are "secure" only because no one considers Sailfish a target worth the bother of attacking. The moment they do, there is nothing to stop them.

pichlo ( 2015-12-20 16:54:27 +0300 )edit

Nope, didn't hear about that one, I guess I would have mentioned it if I had.

Spam Hunter ( 2015-12-20 19:55:46 +0300 )edit

Flashlight isn't categorised as malware, because it only sent usage statistics. This is in accordance with Jollas appstore rules. https://together.jolla.com/question/10925/add-rights-management-for-native-apps/https://together.jolla.com/question/10956/provide-some-basic-or-not-so-basic-app-usage-stats-for-the-developers/

@pichlo: Why do you think there's no security in Linux?

Laura ( 2015-12-20 20:20:53 +0300 )edit

2 Answers

Sort by » oldest newest most voted

answered 2015-12-20 03:40:20 +0300

Laura
566 ●9 ●14 ●17

updated 2015-12-20 03:42:49 +0300

To summarize the results:

Actually, malware for Sailfish OS doesn't seem to exist at all. Nevertheless, Jolla already has some concepts for protecting the OS against malware. (links mentioned above, thx @Markkyboy)

Apps need to pass a very strict QA before they are published to Jolla Store. (thx @coderus)

This Quality Assurance concerns system security as well as the protection of the users' private data. So the packaging rules do not allow apps to install.service files. And the D-Bus API is unavailable to 3rd party applications to prevent unrequested sideloading of RPM packages. Furthermore, D-Bus APIs are available to applications only without raising the applications privileges. In addition, Android apps aren't allowed to do phone calls or send SMS. It is also checked whether the apps steal private data like messages and contacts. https://harbour.jolla.com/faq#7.2.0 https://together.jolla.com/question/10991/store-apps-should-ask-before-calling-home/?answer=11071#post-id-11071

On the other hand, as long as they only send statistics about their own usage, apps in the store are allowed to call home without the customers being asked for their consent. https://together.jolla.com/question/10991/store-apps-should-ask-before-calling-home/

And non-privileged (ie, third party) applications can read data stored by other non-privileged applications. This is considered a security problem. https://together.jolla.com/question/27995/how-secure-is-the-app-system-currently/?answer=28350#post-id-28350 https://together.jolla.com/question/27076/roundtable-discussion-application-security/

Privileged applications may read most of the important data like contacts, calendar, images, posts and notifications. https://together.jolla.com/question/27995/how-secure-is-the-app-system-currently/?answer=28350#post-id-28350

Although Jolla claims to be working on that issue, the notification of the required privileges is not yet shown when installing applications from the Jolla Store. https://jolla.zendesk.com/hc/en-us/articles/202497256#android

Altogether, those apps will neither compromise your system themselves nor be able to download and install a package afterwards that infects your OS. A right management is still missing. You don't exactly know what kind of data an app from the Jolla Store will get access to, but you can be quite sure it won't send your private data to its developer while it might send inner statistics without asking you beforehand.

edit flag offensive delete publish link

Comments

There is no privileges/rights system in sailfishos, so any notification about it during installation is not possible.

coderus ( 2015-12-20 18:48:33 +0300 )edit

It will be possible for android apps in the store, if they keep their promise.

"NOTE: when installing applications from the Jolla Store, the notification of the required privileges is not shown. This issue is known and we are working to fix this as soon as possible."

Sailfish differs between privileged and non-privileged apps. Isn't this a kind of rights management? (I think I didn't get your point.)

Laura ( 2015-12-20 20:27:55 +0300 )edit

privileged is just a group managing file access restrictions.

coderus ( 2015-12-20 20:49:23 +0300 )edit

Thank you for your answer.

So the lack of a rights system means that an app belongs to one of those two groups, and all apps of that group do automatically have the same rights? You cannot create your own group for a file or decide to give it only some of the rights of its group, because Sailfish doesn't offer such an option yet?

Laura ( 2015-12-20 21:19:36 +0300 )edit

answered 2015-12-19 23:19:21 +0300

coderus

22985 ●253 ●337 ●370

https://coderus.openrepos...

Every SailfishOS and Android appliation published to Jolla Store passed very strict QA which can lasts up to two weeks.

edit flag offensive delete publish link

Comments

Thanks for your answer.

I searched online for some more details about the QA. Including that word in my search terms helped me to find the information I had been looking for.

Laura ( 2015-12-20 03:39:33 +0300 )edit

How can I trust the apps in the Jolla Store?

Comments

2 Answers

Comments

Comments

Question tools

Stats

Related questions

How can I trust the apps in the Jolla Store?

Comments

2 Answers

Comments

Comments

Question tools

Public thread

Stats

Related questions