We have moved to a new Sailfish OS Forum. Please start new discussions there.

What kind of security model does Jolla have?

asked 2013-12-29 10:14:14 +0300

Marc1 gravatar image

I'm wondering what kind of security model Jolla has and how it compares to Android's?

More specifically how can I know that some random app doesn't upload my contact book without my knowledge?

edit retag flag offensive close delete

3 Answers

Sort by » oldest newest most voted

answered 2014-02-09 02:37:02 +0300

ortylp gravatar image

The security model is NO SECURITY at all, simply the same as on Linux desktop.

edit flag offensive delete publish link more



unfortunately this is true! and should be the correct answer. QA will not screen apps for security breaches(like scanning device for bitcoins, stealing emails/sms or connecting and transfering data online) QA will just say: "We publish this app, as it does not crash the phone"

PeterParker ( 2014-03-25 15:23:18 +0300 )edit

answered 2013-12-29 13:59:34 +0300

MartinK gravatar image

updated 2013-12-29 14:01:32 +0300

Basically the Harbour application store QA makes sure it it behaves well. And of course if the given application is open source, you (or someone else) can check its source code.

This is imho much better than the failed attepts with the Aegis security system on the N9 that did not bring any real security benefits but managed to alienate many experienced application developers. The Android system is not much better with its "accept all ridiculous permissions or the app would not install" model. So basically, this is hard to do and if done badly can cripple application usability and alienate developers. It is also a form of post-factum security - the potentially malicious is already on your device where it can try to attempt to exploit security vulenerabilities, etc.

Therefore the current system - QA and checking the source code of open source applications is IMHO better as it should stop malicious stuff before it can be even distributed.

This is also basically how major Linux distributions, such as Fedora, work - all packages need to pass a package review and get enough "karma" from testers to be included in the main repositories. This is made easier by all packages being open source & compiled by the distribution, so you can always check the source to see what the program actually does and you can also be sure that the binaries were really built from the given source code.

edit flag offensive delete publish link more



Some of the data is also protected with privileged Unix group that only jolla system applications can access. So normal nemo user apps cannot read the data.

rainisto ( 2014-01-02 19:04:37 +0300 )edit

Thanks for the answers.

A further question: can an app access the data of an other app? For example if I have a bitcoin wallet app on my phone is it possible for some rogue app (that made it past the QA) to scan for and access the private keys of the wallet?

Marc1 ( 2014-01-06 11:55:39 +0300 )edit

Basically the Harbour application store QA makes sure it it behaves well.

How? This is important information and I would like to see some official statements.

clau ( 2014-01-07 21:39:13 +0300 )edit

@rainisto, there seems to be no isolation between installed apps. For instance, emails are stored in ~nemo/.qmf, which has owner nemo:privileged and mode 700. I've installed a third party app from the store, and it runs under user nemo. Hence, my emails are accessible to the third party app. Not a comforting thought :|.

clau ( 2014-01-07 21:46:35 +0300 )edit

Yes currently emails are accessible for nemo user. Might not be conforting though, but there currently has never been any reported malware applications for Sailfish OS (And there was no malware for N900). Currently devicenumbers are not lucrative for malware writers.

rainisto ( 2014-01-07 21:54:56 +0300 )edit

answered 2013-12-29 11:35:49 +0300

I think you should consult privacy policy at Jolla.com for checking if it fills up your wishes...

edit flag offensive delete publish link more



Perhaps I phrased my question badly, but I'm not that much concerned that Jolla Ltd. would do something fishy. What I was asking about is how can I know that some seemingly benign app that I choose to install does what it says and not a bunch of other stuff in the background?

Marc1 ( 2013-12-29 11:45:59 +0300 )edit

You can also ask for the source code if you have the skillls to verify. I don't know other ways at this moment.

juju_des_highlands ( 2013-12-29 12:04:11 +0300 )edit
Login/Signup to Answer

Question tools



Asked: 2013-12-29 10:14:14 +0300

Seen: 990 times

Last updated: Feb 09 '14