We have moved to a new Sailfish OS Forum. Please start new discussions there.
404

Permission control for apps

asked 2013-12-28 00:20:02 +0200

paju gravatar image

updated 2015-03-24 00:08:42 +0200

pisco gravatar image

I'd surely like to control what applications do behind my back. Getting rid of spies was one of the biggest reason to get into Jolla.

For example Yandex on my Android device wants to record audio, which is unbelievable behavior: https://www.dropbox.com/s/hekol3jxv01o6v0/Yandex_permissions.png

Edit: For Android apps specific rights see: https://together.jolla.com/question/982/display-and-edit-android-apk-rights-when-installing-from-transfers/

edit retag flag offensive close delete

Comments

26

I hope permission control will be done Apple way (ask on first request) rather than Android way (ask before you ever started the app). Asking on first request gives at least a small chance people will actually read the request and possibly even understand the reasons for it.

Artem ( 2013-12-30 00:55:46 +0200 )edit
2

I rephrased the title to make this Sailfish apps sepcific, not Android specific.

Nux ( 2013-12-30 02:10:50 +0200 )edit
18

to be honest... permission control is nice, but shouldn't be too limited/closed. imho: we shouldn't make it a dealbreaker: like you cannot install this app if you don't allow it to make calls and/or send sms.

what i want is to have restrictions, and the app should handle failure of it instead.

AL13N ( 2013-12-30 02:14:42 +0200 )edit
3

there are some apps that have additional sms for special notifications and that is fine, but the app is useful without SMS too, so it should be able to not be given.

AL13N ( 2013-12-30 02:15:36 +0200 )edit

9 Answers

Sort by » oldest newest most voted
56

answered 2014-07-26 21:40:56 +0200

ruga gravatar image

I would do differently from both Android and Apple. I have the same problem, I do not want certain apps to get certain kind of data. Like a filter on the permissions of the app.

I do not know the details of Sailfish. However, an idea could be to install your application (e.g. Android), which surely works to the highest level in the OS. Whenever this application tries to get data from the camera, or contacts, etc... it gets just junky data or simply cannot access the device. I would not care too much if the application does not work properly any more, it is just up to the user to decide whether to use these filters or not.

example:

The app A has these permission: - Internet access - Camera - Contacts

Consider that for the purpose of the application, the camera does not make too much sense as a permission. Therefore, we block the camera permission. When the app works, it gets just fake data or fake images or whatever. Maybe the app will not work anymore, or maybe yes. However we are sure we protect the data of our camera!

Probably an Android app talks with a kind of middleware for Sailfish, therefore this control could be done in practice. Maybe I am wrong..!

Having this kind of features would literally BOOST the quality and the image of Jolla in my opinion!

privacy is important!

edit flag offensive delete publish link more

Comments

2

I agree, privacy is very important, since smartphones can store lots of user sensitive information. Supplying fake data is not a bad idea, however, I would rather install "clean" apps, even if I have to pay for some of them.

pmelas ( 2014-07-26 21:48:49 +0200 )edit

You are right, perhaps is not really ethical, however it was just a conceptual explanation. You can even completely block the access to that specific media or whatever. In this case you can also spot those applications that work "properly" and those that dont.. If they ask for a permission, and without that one, it works perfectly anyway.It could mean that the permission was not necessary!

ruga ( 2014-07-26 21:53:21 +0200 )edit
5

I like the idea of providing data that has actually negative value to data collectors. "Negative" in terms that fake data is dirt in their records, less clean also meaning less valuable for exploitation. Let 'em eat dirt :)

tokaru ( 2014-07-28 13:07:52 +0200 )edit
3

It is properly the best idea to provide fake data. I bought the Jolla because my expectations were high that they would care more about it. So far I'm a little disappointed and I don't know in which direction "Sailfish OS" will be pushed, but I think that privacy & security should be the most important selling point. In addition it would be nice to set the fake data by myself if I desire to do so.

zeitgeist ( 2015-02-07 19:45:13 +0200 )edit
4

I think that this is the best approach. When the app (sailfish or android) asks for permissions you get a list and can select allow for real or give fake rights.

For example. I do use facebook app (I know I'm bad but peer pressure) but I have no intention of ever letting it sync my phone contacts or do anything other than display facebook information (so only real permission it needs is access to internet). Would be great if I could give it nice fake permissions so the app is happy and so am I (since hoping that developers will solve the issue is a bit naive IMHO.

AxMi-24 ( 2015-02-12 13:54:00 +0200 )edit
15

answered 2015-02-08 16:24:47 +0200

lakutalo gravatar image

updated 2015-03-02 15:21:20 +0200

SElinux is considered as an option on the roadmap for SailfishOS. It is already implemented in Android from 4.3.

Furthermore it could open the door for Jolla as an alternative to Blackberry for use in larger professional environments.

Let us hope for implementation very soon, including an app to manage security settings/rules in a relatively easy way to use.

Just think of the security and privacy potential, e.g. a rule that allows destination address google.* only for the browser and email app to prevent other apps from ignorantly sending private data.

edit flag offensive delete publish link more
9

answered 2015-02-15 13:38:01 +0200

Herve5 gravatar image

updated 2015-02-28 11:53:31 +0200

I discover this thread now I just bought the tablet on indiegogo, and am quite shocked.

At this moment I'm using an android-based Fairphone (commes rooted by default), and while I expected Sailfish to provide better privacy controls it seems the contrary?

FWIW on a rooted android phone various open-source apps let you control outgoing requests, indeed on a per-app basis, which IMHO is relatively easy thanks to the android way to handle apps ('one app = one unix user', thus with dedicated rights)

I'd be interested to learn how apps rights are handled on Sailfish -maybe these controls are already existing and I just don't know.

But if I am rendered back to using android apps controlled via an android-root-way of filtering, this terribly defeats all the purpose I invest in Jolla and Sailfish :-(

edit flag offensive delete publish link more

Comments

1

I noticed that too, having the phone. I really like it so the tradeoff is currently having less apps because of some security fears of me.

I did not buy the tablet yet but I hope to support Jolla on their road. I think we should pay a little more attention till the sailors got it going. It is a small team so I provide them more time to get the level of the big players.

Time will come and SailfishOS will be very solid. The community seems very concerned about this, like we do, so I am pretty sure they will handle it.

maxik ( 2015-02-28 01:09:13 +0200 )edit

Thanks a lot Maxik for your reaction. I don't mind having fewer apps; as soon as I get a serious emailer, an ad-filtering browser, something like Libreoffice and, if possible, an RSS manager with a searchable database. My concern is rather, for current and future native apps, can we, at user level, control the way one of them accesses internet? My dream would be finding the Sailfish equivalent of Little Snitch on MacOS, Peer block on windows or Peer Guardian Linux

Herve5 ( 2015-02-28 12:03:01 +0200 )edit

I am kind of shocked to read this. CyanogenMod lets me decide via "app ops" on every single right for each app separately. Feels like SailfishOS is a poor alternative. Do the sailors primarily thik about eyecandy?

pisco ( 2015-03-24 00:19:21 +0200 )edit

Please note I don't say filtering does not happen : not having the tablet yet nor a phone, I indeed just don't know what is implemented, that's all.

What worries me is merely the fact I didn't see this point addressed anywhere here, and the fact I didn't get a simple answer since the OP question.

But maybe there are inded simple ways already. For instance, basic outbound filtering with a list is something that can be very easily implemented straight in Linux, and this although differently would do a reasonable part of the job.

Herve5 ( 2015-03-24 16:36:15 +0200 )edit

Something like app-ops, maybe based on SELinux, is a bare mininum necessity!

Andy Roid ( 2015-10-24 08:42:43 +0200 )edit
4

answered 2015-02-07 10:29:06 +0200

hyper_sonic gravatar image

updated 2015-02-07 10:30:21 +0200

What about cgroups? Systemd used it. Allow only official specified by developer system calls?

edit flag offensive delete publish link more
3

answered 2015-10-29 21:26:12 +0200

Schwimmer gravatar image

I like "SRT AppGuard" altough it can only take away permissions from the Android apps. You don't need to root your jolla as in other solutions, nevertheless you get detailed control over the permissions per Android app. First you need to reinstall the apps. After taking away most of the permissions from them they usually still work fine. As SRT is a German company I trust them due to the strict data protection laws in Germany.

edit flag offensive delete publish link more

Comments

1

Schwimmer you are a genius this app works like magic and its well worth $5! I used to use permission remover which was free but extremely buggy with most apps not working anymore once you removed permissions.

SRT AppGuard completely solves the permission problem on the Android side! Its basically like Apple in terms of functionality. People that worry aboit sailfish native app permissions i dont think need to be too concerned yet since there isnt really a lot of money in it for advertisers.

DarkTuring ( 2016-10-22 06:04:08 +0200 )edit

AU$6 is money well spent here. The app has been discontinued wrt to development but can still be downloaded and buy a license. Each app has to be uninstalled when monitored so you may lose cache data. Is a breeze limiting permissions but some are locked.

rmitchell ( 2018-04-14 01:16:08 +0200 )edit
3

answered 2017-01-11 03:28:21 +0200

DarkTuring gravatar image

Privacy of outgoing and incoming processes and transmissions through IP and port requests could be handled via firewall.

If there was a linux firewall optimized for mobile experience (touch screen) that could track all processes trying to connect to the internet or external servers ypu could simply deny some app to access the internet period, or allow only when using the app.

edit flag offensive delete publish link more

Comments

you mean like windows-style firewall?

tortoisedoc ( 2017-01-11 09:45:44 +0200 )edit

little snitch like!

DarkTuring ( 2017-01-30 03:36:03 +0200 )edit

Hello everyone,

Have recently bought an Aqua Fish, too. When I was looking for ways to make my smartphone safer, I stumbled upon the posts here. I would like to give a small update on what can be done to make your Aqua Fish safer without being an IT expert or knowing too much about coding. The setup I chose in terms of apps so far is:

  • Ixquick for internet searches via smartphone. Reason: No logging of your searches and servers in the Netherlands instead of the US.
  • G-Data Internet Security for Android: Essentially a virus scanner for smartphones for those who like to have one. However, there is no firewall included in the smartphone version. This company is situated in Germany and offers virus scanner in combination with a firewall (and optionally some other stuff) currently only for PCs and Laptops. So it is very similar to Norton, Symantec or Kaspersky.
  • The below mentioned SRT AppGuard to restrict app permissions. There is nothing to worry about in the terms and conditions for this app, although the terms and conditions are only available in German. Their latest version seems to be for Android Nougat version 7.1. There is a free 30 day test version available that can restrict up to 4 apps (for it to restrict more than 4 apps the paid version is necessary). So far, I did not have any problems with it. However, you can only restrict some permissions. In case of Whatsapp thats for example camera access, your location, audio access, WLAN connectivity, calls, contacts in socail media, modifications of system and access to media like photos, mp3 etc. You can not restrict Whatapps bluetooth connectivity, Whatsapp account information, and personal data.

Especially the last point still makes me somewhat unhappy. Does anyone know about other apps that could work as firewall, virus scanner, or permission restriction for other apps?

Kind regards,

Malcolm124 ( 2017-09-27 22:09:36 +0200 )edit

Some update from my side: Whatsapp doesnt like SRT App Guard, stating that Whatsapp has been changed and needs to be reinstalled. Not too surprising. That means Goodbye for Whatsapp. Threema is a better alternative and does not spy on you. If Whatsapp really is needed, you can always buy a cheap second smartphone with native Android support, install Whatsapp there and use the phone only over WLAN at home. That way, Whatsapp at least can only spy on your Whatsapp conversations, because all other contacts, photos, videos, mp3s etc. are stored on your other -Whatsapp free - smartphone. The SRT App guard also has a certain limitation in that it completely supports Android 2.2 up to 4.4. Yet, it can still be installed on newer Android versions, but might work in a limited way with certain Apps. Still better than no protection at all...

Malcolm124 ( 2017-09-30 22:31:30 +0200 )edit
3

answered 2018-11-20 00:28:54 +0200

cpb gravatar image

a temporary workaround is to launch via restricted user group.

this worked for the browser via fingerterm:

devel-su
groupadd nonet
usermod -a -G nonet nemo
iptables -A OUTPUT -m owner --gid-owner nonet -j REJECT
exit
sg nonet sailfish-browser

then browser launches, no internet. aww

edit flag offensive delete publish link more

Comments

That's perfect. We just need a way to patch the launcher to execute it always as group nonet.

bomo ( 2018-11-20 09:54:47 +0200 )edit

Excellent! Power of Linux!

addydon ( 2018-11-20 15:33:49 +0200 )edit
2

answered 2015-02-07 09:40:47 +0200

DaveScum gravatar image

No one tried installing xPrivacy/xPosed Framework?

I always had it on my Android devices and it worked perfect. But I am a little scared what happens if I try to install it on Sailfish. Actually it should only affect the Alien Dalvik VM, but I don't want to my system to get destroyed or my device to get bricked. Probably need to install Aliendalvik Superuser to get it work and activate developer mode? I don't know :-(

I can't claim someone to try it when i am not willing to do it, but if someone ever tried, please share information.

The best solution definitely would be a native sailfish solution (for native and android apps). Perhaps this will be integrated in a future version.

For me this is the most important feature to integrate.

edit flag offensive delete publish link more

Comments

Tried it, but couldn't get it to work. Even installing xposed manually didn't help. It always said service not running even though both files app_process and XposedBridge.jar were detected properly by xposed installer.

J4ZZ ( 2015-02-12 22:29:06 +0200 )edit
1

Ok, thanks for sharing information. As someone else mentioned, SELinux is considered as a solution by the developers. A roadmap was posted on the January 2015 developer mailing list, saying "research SELinux as a solution for system security and application access control".

DaveScum ( 2015-02-16 09:44:03 +0200 )edit
0

answered 2014-07-27 19:51:13 +0200

MikaN gravatar image

I think F-Secure has the app you need, check App Permissions, http://www.f-secure.com/en/web/home_global/app-permissions , it's a free app downloadable via Google Play.

edit flag offensive delete publish link more

Comments

2

...via Google play...

ZogG ( 2014-07-28 00:29:43 +0200 )edit
2

... android app..

hnbv ( 2014-07-28 07:06:40 +0200 )edit

Yes, https://play.google.com/store/apps/details?id=com.fsecure.app.permissions.privacy . You need APK Downloader to download and then install app. Did it my self, and used the app and checked that Yandex requests 34 permissions. Next on the list is Twitter with 28 requests and Apptoide with 16. Most apps requests 15-5 permissions, so makes me wonder why does Yandex need 34... So Yandex is now removed from my precious. Is there a way to check is it really removed from my device (or any other app that I don't want or need anymore)?

MikaN ( 2014-07-28 10:29:41 +0200 )edit
2

Again, why would you choose not android in first place if it's so secure? No point of not native resolution

ZogG ( 2014-07-30 22:05:28 +0200 )edit
Login/Signup to Answer

Question tools

Follow
49 followers

Stats

Asked: 2013-12-28 00:20:02 +0200

Seen: 6,722 times

Last updated: Nov 20 '18