ubuntu-phone team mailing list archive

[Michael Zanetti <michael.zanetti@xxxxxxxxxxxxx>]

Hi,

On Monday 14 October 2013 18:09:14 David Planella wrote:
> In addition to all what Dave is saying, if you want to know more about this
> app, including links to the source code:
> 
> http://notyetthere.org/?p=351

Actually I share Jeremy's concerns. And I think neither of Daniel's and 
David's or Dave's comments are really addressing this issue:

* Dave: yes, the app passed the security checks. But given that the security 
checks only deal with the binary blob it is debatable how useful those checks 
are. IMHO they aren't useful at all in regard to security. I could sneak in 
code that starts sending all your logins to myself and no one would notice it, 
I bet.

* David: There are no relations to the source code and the uploaded binary 
package. In this case all I can do is to give you my word that I won't do any 
bad things. But in theory I could publish some source code and build the 
binary out of some different code. You wouldn't notice for sure. Btw. because 
of the missing trusted relationship between the uploaded binary and source 
packages I didn't bother to upload the source package to the store.

* Daniel: Yes, it is confined in AppArmor but note that it has the networking 
capability (mainly because it's enabled by default and I forgot to remove it - 
will be gone in the next update). So even though this app might not be able to 
steal your address book, I could still send out your Ubuntu SSO credentials 
over the network once you set it up.


Jeremey, one thing you can do, is to install the app called "Permy". It shows 
you who made the app and which AppArmor permissions it has. Unfortunately 
that's all we can do so far. There is no way to be sure what's in the app's 
binary right now.

That said, unfortunately this is how all the other mobile app stores work too, 
and basically how 95% of all software on Windows and Mac is distributed. I 
don't want to use that as an excuse but thing is, this is what the market 
demands right now. App Developers don't want to publish their code and the 
vast majority of users doesn't seem to care about anything security at all 
anyways. It's a sad situation for people like us who actually DO care about 
security.

However, I haven't given up hope that at some point someone will set up some 
App Repository for Ubuntu Touch which requires developers to upload a source 
package, the binary will be built on the trusted server and the exact same 
source archive published along with the binary. But when this happens, I'm 
sure it will only hold the geeky FOSS apps. For me personally that would be 
enough as I tend to write all the apps I use myself anyways :P Would be 
awesome to have a way to publish them in a trusted way to my "customers".

Br,
Michael

> 
> Cheers,
> David.
> 
> On Mon, Oct 14, 2013 at 5:49 PM, Jeremy Tayco <keitaro332@xxxxxxxxxxx>wrote:
> > >The app has passed all the security and packaging tests before it is
> > >
> > >allowed to enter the Click apps store.
> > >
> > >This means that any application that is in the apps listing is "safe".
> > >
> > >Also because applications are completely isolated and locked down they
> > >are by nature safer than the old deb files.  This is most of the reason
> > >for creating the click packaging system.
> > >
> > >The reason for the lack of information regarding the dev is this is only
> > >release 1 for everything.  This means there is pleanty of work to do and
> > >issues to resolve. For this release the idea was to get all the ground
> > >works in place and then future releases will improve on what is already
> > >there.
> > 
> > I was unaware that automated security tests had already been implemented
> > for Click submissions. Thanks for taking the time to help me out with
> > this!
> > 
> > 
> > --
> > Mailing list: https://launchpad.net/~ubuntu-phone
> > Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~ubuntu-phone
> > More help   : https://help.launchpad.net/ListHelp