Re: QuadRooter: New Android Vulnerabilities
 

100USD for Jolla exploit. Anyone?

Re: QuadRooter: New Android Vulnerabilities
 

No, tanks I pass. But it would be nice if they updated drivers.

Re: QuadRooter: New Android Vulnerabilities
 

I wish this came out earlier so I could root my already sold BB priv and have some real use of the device.

Why folks in general so afraid of root? It's not root causing the breach it's the app that takes advantage of the root am I understand correctly? So even you are "affected" just don't install anything that you don't trust that's all.

Re: QuadRooter: New Android Vulnerabilities
 

But that's exactly my point! You do not need to exploit any vulnerability or become root to do any of the things you mention.

I know that especially Linux users like to think in terms of root vs non-root and yes, root can cause a damage to the system, but the days when the system was the part worth protecting are gone by at least two decades. Wake up to the 21st century, people. The system is replaceable. The bits that need protecting are your user data. Those do not need a root access to be compromised.

Again, my argument is that you are not safe. You might be safe from an overhyped threat of the week but you are totally unprotected against any potential malicious activity any native Sailfish application may want to do. (Case in hand: the flashlight app, the first Sailfish malware that sprung up just weeks after Sailfish was first released.)

Re: QuadRooter: New Android Vulnerabilities
 

Actually, on an unrooted & uncompromised Android device you cannot do that much damage or leak personal information;

Case in point, something like an year ago a friend asked me to backup messages from her device. The phone was unrooted older Samsung Galaxy model, and I had really hard time breaking into the darn thing to gain access to the messages without wiping the device in the process. (when bootloader is unlocked it would wipe it, and have you ever tried rooting a device when bootloader is locked, hmm...)
Anyway, only signed and trusted applications can access the personal information storage which is root accessible only.


On SFOS the thing is a bit different, all user private data is under the home directory and almost all of it is accessible with nemo user permissions. With a malicious application it is quite easy to mess up or exploit anything.
However you cannot (at least not easily) incorporate rootkit-like functionality into an application submitted to the Jolla Harbour as the needed library interfaces are not permitted in applications;
A rogue application might steal your data, but it cannot modify system so that it hides a backdoor and refuses to uninstall, for example.

All bets are off, of course when you install apps from other sources. That's why I have a simple rule for myself; only install what you yourself have built and check the projects for funny business before you do so.

Re: QuadRooter: New Android Vulnerabilities
 

Really? Then why does virtually every single game my kids install on their tablets have "access to your contacts" on their permissions list?

It may not be easy for you, the user, to access your own data. But it is easy for anyone else. Go figure.

Re: QuadRooter: New Android Vulnerabilities
 

About this I would like to know more!

WUT? See pichlo's comment above/below.

Re: QuadRooter: New Android Vulnerabilities
 

Well, when you install an application it will tell you what priviliges are required for it to run, right? I am not sure how the QC is set up at Google Play so is it possible to device an application so that it utilizes a capablity it does not advertise at install time.
If the device is fully locked down you can only install applications from the store that is installed to the device.

Re: QuadRooter: New Android Vulnerabilities
 

Exactly as you say: have "access to your contacts" on their permissions list

The applications CAN get your data if it says so in their permission list.
It has been stated so many times it is a bad practice to have any random fartapp and flashlight to request full range of permissions but the only thing an user can do is to not install the application.

I'd imagine it is probably not worth for Google to enforce application developers to only request minimum permissions needed for the application to operate

Re: QuadRooter: New Android Vulnerabilities
 

Not if Google itself churns out applications requesting the full shebang of permissions without any obvious reason. I mean, I can understand that e.g. Maps might want to read your location. But why on earth would it need an access to your call history or camera? :confused:

Regarding the case being discussed, sorry if I did not express myself clearly enough. I am not saying that every user application can compromise your identity (well, it can on Sailfish, but not on Android). I am saying that users want to run this fartapp, play this game or whatever and so they grant it whatever permissions it asks. Then, once installed, the application can do whatever it pleases with your sensitive data.

How is QuadRooter different? It also needs you to install something. As you correctly point out, it could potentially grant itself permissions not advertised at the time of installation, BUT the point is, you still need to install it first. So the would be attacker needs to make it look attractive enough to lure the users into installing it. This is where the hard work is: making the app attractive. Not exploiting the vulnerability. If the app looks attractive enough, users will give it whatever permission it wants. They mostly treat the warning box as a nuisance that stands in the way anyway and just click it through. To that class of users (i.e. about 99% of them), QuadRooter poses no additional risk than what they expose themselves willingly every day already.