We have moved to a new Sailfish OS Forum. Please start new discussions there.
9

Sailfish X: A newbie's security concerns and questions

asked 2017-11-24 09:20:39 +0200

Loenneberga gravatar image

Hi folks, I've been searching for threads on Sailfish-OS security on Xperia X but didn't find any updated information on this. Just many many threads dealing with very special security questions, that beginners might not understand.

Could anyone well informed and tech savvy, who knows and not only believes to know what she/he is talking about, please answer me some questions in an understandable way on the following simply Sailfish OS security concerns/questions:

  1. Where and how are passwords stored on the Sailfish X, when I access my home wifi network, my email-, my caldav-, my carddav-accounts? Are those passwords encrypted or in plain text on the device? Is there a difference compared to Android and iOS devices accessing these?

  2. Can others apps on Sailfish X, i.e. not only the apps I used to save the passwords, access those passwords or is there a kind of sandboxing system or an other protection of those passwords?

  3. How are apps, especially third party apps on the jolla store being checked by jolla so than they do no harm? Are those apps in the jolla store more secure than those on Openrepos?

  4. Sailfish X allows to install Android apps if you wish. This Android support is, if I remember right, based on Android 4 or something. Android 4, I heard, wasn't considered save any more. So how save or unsace is this Android support on Sailfish X?

  5. Sailfish X stock browser seems to be based on an older firefox version. This stock browser always asks me if it should store passwords. How and where are those passwords stored? Are thoese passwords encrypted or in plain text on the device?

edit retag flag offensive close delete

1 Answer

Sort by » oldest newest most voted
20

answered 2017-11-24 13:20:10 +0200

leszek gravatar image

updated 2017-11-24 13:21:43 +0200

1) SailfishOS uses Accounts&SSO system which stores stuff encrypted in a DB only accessbily by Accounts&SSO (see: https://sailfishos.org/wiki/Accounts_and_SSO )
edit: Only passwords are encrypted. Usernames are stored in plaintext
2) There is no sandboxing. I never encountered an application being able to access the Accounts&SSO though theoretically possible when the API is implemented. However not allowed in Jolla Store.
3) Jolla tests those applications for complying with the harbour rules (only allowed APIs used), tests them for harmful stuff and overall functionality
4) Alien Dalvik is based on Android 4.4.4 and Jolla keeps patching security issues (this Android version is still supported)
5) Username and Password are saved encrypted in /home/nemo/.mozilla/mozembed/logins.json

edit flag offensive delete publish link more

Comments

2

Thanks! Good question and good answer.

melg01 ( 2017-11-24 18:19:21 +0200 )edit
5

However, the wifi passwords are stored in plain text in subfolders in /var/lib/connman/. However, the normal user does not have permission to access these subfolders. You would need root access to read out the passwords from there.

martin ( 2017-11-24 18:33:01 +0200 )edit

@leszek What happens if a malicious application has the power of root, can it then read the SSO database and start brute force cracking it? I assume the SSO database is only protected with user security password -or is it? Thank you for your good answers

alloj ( 2017-11-25 07:45:05 +0200 )edit
1

Thank you Leszek for your answer.

Since I can't find all the Apps that I would like to use on the Jolla Store I'm installing Alien Dalvik Support.

In the settings of Sailfish X you can grant APKs (or not) access to your Contacts. That's all. Why not add settings for APKs trying to access the calendar etc.?

Even Apps like Threema and Signal Messenger are asking for loads of permissions (e.g. alter contacts, GPS position) that I don't really want to give them. On IOS and Nougat you can change this and allow or not access to camera, contacts etc.

Now could you or someone who is well informed let me know if your only choince on Alien Dalvik is, to give APK all the permissions they are asking for or just don't install them?

Instead of APK you could also look for Openrepos Apps, but there I have no clue whoch permissions those Apps will gett. I would really appreciate, if someone could explain this. Thank you for your patience.

Loenneberga ( 2017-11-25 17:45:26 +0200 )edit
1

@alloj in theory of course an application can start bruce force cracking the SSO database. However if the database uses a good encryption (I am not sure what algorithm is used here) it would take ages (more than 1000 years) to crack that.

@Loeneberga The Android Apps don't have access to the native calendar. Only camera, contacts, gps and network (without being able to switch or control the wifi network) is possible for those. As for Openrepos Apps yeah those are native apps and native apps have no permission system like Android or iOS provide. Usually the source code is provided for those application so you can take a look at when in doubt. Granted this is something to check only for experts. I experienced no issues with malicious software or spying on the user with applications from openrepos.

leszek ( 2017-11-25 17:57:23 +0200 )edit
Login/Signup to Answer

Question tools

Follow
5 followers

subscribe to rss feed

Stats

Asked: 2017-11-24 09:20:39 +0200

Seen: 1,600 times

Last updated: Nov 24 '17

Related questions

[feature-request] Ability to protect the SD card with a password [released]

VPN client [released]

Word prediction should be always turned off when entering passwords in Android apps [released]

Password manager for Sailfish [answered]

Android VKB saves and suggests passwords in plaintext

[Feature-request] Track & protect my Jolla

Keychain linked to TOH

Cloud backup should be encrypted

Guest account for demonstration [answered]

SSH Host Key fingerprint & regeneration

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49