Ask / Submit

Jolla is affected by QuadRooter

asked 2016-08-08 16:40:22 +0200

tvicol gravatar image Good time to upgrade Jolla's android.

image description

edit retag flag offensive close delete



I was curious about this as well. I used the search but only found this request to update the Qualcomm drivers: No real answer is given yet though.

Jozz ( 2016-08-08 17:14:00 +0200 )edit

I am seriously disappointed at how Jolla fails completely to provide timely security updates. It seems like there is no infrastructure at all for quicker updates than the quarterly version updates (which are often late, too).

Federico ( 2016-08-08 17:20:50 +0200 )edit

Blame Qualcomm, not Jolla.

ced117 ( 2016-08-08 17:54:03 +0200 )edit

@ced117 I don't expect Qualcomm to provide bug-free software, but I do expect Jolla to release security fixes when a vulnerability comes up. It's not the only one; there is another thread mentioning several glibc vulnerabilities that have been there for months when a simple fix is available upstream. I can't blame Qualcomm for those.

Federico ( 2016-08-08 18:35:17 +0200 )edit

@Federico About the glibc vulnerabilities, you might be right, Jolla is "in fault" here.

But again, Jolla cant release security fixes for something that they cant fix themselves. (Access to the source code of binary blobs, blablabla...)

ced117 ( 2016-08-08 19:47:33 +0200 )edit

2 Answers

Sort by » oldest newest most voted

answered 2016-08-10 10:53:44 +0200

hoschi gravatar image

updated 2016-08-10 10:53:57 +0200

This should be a security issue for Jolla in general, not Android-Layer itself. We are not secure, because we are a minority compared to Android (security by obscurity...maybe they don't know us, so they don't attack us?).


edit flag offensive delete publish link more

answered 2016-08-10 05:12:03 +0200

Thylacine gravatar image

I don't know when the patch would arrive for sailfish os, but I don't have to worry much because I am using only jolla apps!

edit flag offensive delete publish link more



Yes, that will provide pretty good shield from most attacks.

It is of course fairly easy to implement these attacks (or pretty much anything really) as native SFOS application but a good bet is that the target population is so small it is not really worthwhile. I'd be wary anyway of any binaries not installed from the Jolla Harbour, however... :)

Best practice is to only ever install packages you have yourself built from sources that you have at least cursorely eyeballed.

juiceme ( 2016-08-10 08:26:24 +0200 )edit

Same Qualcomm drivers are used by SailfisOS as Android. Security trough obscurity or security trough minority is a very poor security.

tvicol ( 2016-08-10 09:30:07 +0200 )edit

@tvicol, exactly.

Hence my advice; do not install anything you have not checked & built yourself.

juiceme ( 2016-08-10 09:38:06 +0200 )edit

@tvicol, @juiceme You are not alone.

utkiek ( 2016-08-10 13:06:30 +0200 )edit

@juiceme you check all the source code yourself? and build everything yourself? (i smell gentoo ;-) ), but did you also write your own compiler in assambler? the only way to be save.... ;-)

misc11 ( 2016-08-10 16:28:54 +0200 )edit
Login/Signup to Answer

Question tools



Asked: 2016-08-08 16:40:22 +0200

Seen: 1,383 times

Last updated: Aug 10 '16