We have moved to a new Sailfish OS Forum. Please start new discussions there.
46

How secure is the app system currently?

asked 2014-02-15 09:39:12 +0200

tokaru gravatar image

I appreciate transparency and IMHO every user should know about potential security risks that might come with usage of a device. I have found some developer talk related to app security, but I doubt that the majority of users is really aware what a mischievous app developer could do to them or their device.

So, in easy words:

  • Can an app read and/or modify
    • personal databases (e.g. contacts)?
    • data or functionality of other apps?
    • data or functionality of the Sailfish operating system?
  • Can an app leave modifications behind which are not removed when uninstalling, especially unwanted executable code, cron jobs, etc.?
  • Can an app access the whole file system as nemo/root?
  • Is there an in-depth security QA in the official store, making sure that malware doesn't make it in there?

Thanks for enlightenment :)

edit retag flag offensive close delete

Comments

3 Answers

Sort by » oldest newest most voted
13

answered 2014-02-17 07:22:21 +0200

chris.adams gravatar image

updated 2014-09-10 11:00:51 +0200

2Ti gravatar image

I can't answer all of the questions, and certainly don't consider this an official explanation as I may be wrong about several things (security is not one area I know much about, unfortunately), but I'll try to provide some insight:

1) only "privileged" applications can read most of the important data (contacts/calendar/images/posts/notifications/etc which are synced from a variety of sources to the local device cache). There are some exceptions (notably, currently, emails are stored in non-privileged path - this should be fixed soon (tm)).

2) Currently, non-privileged (ie, third party) applications can read data stored by other non-privileged applications. There is a roundtable discussion thread on that very subject here on tjc - see link below. It covers things like possibly using per-application user/group ids, sandboxing, SELinux stuff, etc).

3) Non-privileged applications should NOT be able to cause issues with the functioning of SailfishOS through filesystem modifications (as most of the OS files are privileged access only), however there may be issues with, for example, dbus apis which should be protected better.

4) I don't know. I assume that all of the files which it installed via rpm spec will be removed; I hope that anything in its QStandardPaths will also be removed (but I haven't checked to ensure that is the case).

5) No, unix filesystem permissions are used to restrict access of 3rd party applications and nemo user from several parts of the fs.

6) QA is done at store intake time. I personally don't know how thorough / what sort of checks are done there.


Roundtable discussion on Application Security

edit flag offensive delete publish link more

Comments

Thanks for the detailed information... although it wasn't exactly the answer I was hoping for, but also not the one I feared ;-) If you ask me, "apps" should rather be called "programs" as long as they are not more isolated and need such a high level of trust in the developer - I don't think that this is what people expect when talking about "apps". Even though I hate to do this, I think I'll consider resorting to Android apps for future installs, hoping that things will be better in near future...

tokaru ( 2014-02-19 21:11:30 +0200 )edit
12

answered 2014-02-17 12:40:02 +0200

clau gravatar image

updated 2014-02-17 12:43:38 +0200

There are two big problems as far as I am concerned:

1) Any app running under user nemo can use pkcon to install new packages. I hope there are plans to fix this, because this is extremely bad for security.

2) Native apps are not isolated, hence any app can read my account information (which is stored in plain text) or, say, emails (which are stored in ~nemo)

edit flag offensive delete publish link more
2

answered 2014-03-11 22:56:50 +0200

ssahla gravatar image

updated 2014-03-12 21:50:26 +0200

(This is not an answer but rather a related question, but I'll post it here and not as a new question as it's a particular case of the more general original question.)

Can an app access the whole file system as nemo/root?

I installed StartAsRoot for CargoDock (the file manager app) from OpenRepos. Installation creates a new launcher icon for Cargo Dock, and when I launch Cargo Dock from that icon, I have root access and I can perform operations that require devel-su in Terminal – without entering my password.

I was wondering, how is that possible? Shouldn't it ask for my password, at least in the installation phase?

edit flag offensive delete publish link more

Comments

2

Schturmann mentions this workaround to get root for 'start as root' set of apps: http://talk.maemo.org/showpost.php?p=1409551&postcount=7 I'm guessing openrepos doesn't check if any executable files owned by root are being installed, doubt it would ever reach harbour though

szopin ( 2014-03-12 23:43:12 +0200 )edit
2

Of course it's possible. How do you think devel-su works? After starting devel-su, you are actually already root before entering the password, devel-su is just making sure you know the password before it accepts any more commands from you. There's no technical reason it has to, it's just to protect your system from intruders. And in the case of Schturman's apps, let's just say he's not all that concerned about security. (And no, there's no way his apps would be allowed into Harbour.)

ovekaaven ( 2014-03-13 21:02:59 +0200 )edit
1

@ovekaaven, thank you for your answer! I don't know how devel-su works, that's why I'm asking. :) Actually, I thought that apps can't do root-level operations without the user authorizing them with a root password. Can an app (not from Jolla store, but installed from somewhere else), for example, delete all my system files without asking for a password? (I thought that one reason why Linux is less vulnerable to malware is that apps don't have permission to mess with the system.)

I'm sorry if I'm asking stupid questions, but I'm new to Linux and want to get wiser. :)

ssahla ( 2014-03-13 21:21:36 +0200 )edit
3

If you installed a random rpm from somewhere on the net? Absolutely, it could. (Something like SELinux, or even the N9's Aegis, can offer some protection against that, but Jolla isn't using SELinux yet.) That's one reason everyone says you shouldn't install random rpms. Only install stuff from people or places you can trust. In this case, you can probably trust Harbour, but you cannot trust OpenRepos.

ovekaaven ( 2014-03-13 21:42:05 +0200 )edit
2

Just to clarify: on Linux, programs can only have these kinds of permissions if a root user has granted them. However, anytime you install a rpm, you are implicitly granting that rpm permissions to do anything it needs to do to your system (obviously, it needs permission to install files and such). And that rpm can use those permissions to do anything. That's why random rpms are dangerous, even on Linux. If, on the other hand, you ran something you got as an email attachment or something, it would not have these permissions. That's where Linux is safer.

ovekaaven ( 2014-03-13 22:11:43 +0200 )edit
Login/Signup to Answer

Question tools

Follow
5 followers

Stats

Asked: 2014-02-15 09:39:12 +0200

Seen: 2,405 times

Last updated: Sep 10 '14