ubuntu-phone team mailing list archive

Thread
Date

Re: Plugging the holes in /dev/binder and audio/video playback/recording

To: Ubuntu Touch <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Fri, 13 Jun 2014 15:23:26 -0500
Cc: security <security@xxxxxxxxxx>
In-reply-to: <539B571E.6090601@canonical.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

On 06/13/2014 02:55 PM, Jamie Strandboge wrote:
...
> "Untrusted by the OS: AppStore apps run in a restricted sandbox as defined in
> Application Confinement. Reviews of apps can be shallow, but as a result
> AppStore apps are considered untrusted. Untrusted applications:
> 
>     can freely access their own data
>     cannot access other applications’ data
>     cannot access user data
>     cannot access privileged portions of the OS
>     cannot access privileged APIs, such as Telephony
>     may access sensitive APIs with user permission, such as Location or Online
>     Accounts.
>     are not typically supported by Ubuntu or Canonical
> "
> 
> Wrt audio/video playback/recording, there are open issues that we must fix so
> that we properly honor our trust model:
> 
>  1. an app being able to spy/eavesdrop on the user behind the scenes
>  2. an app being able to data mine the device
> 
...
The previous email was rather long so I left the attacks that we are trying to
prevent out of it. For those interested:

pulseaudio: currently apps can record audio without the user knowing, since
pulse is the one recording, the recording is not subject to application
lifecycle. I have been told that pulseaudio can be handed a file name to play
such that an app doesn't have to open it first. This allows an app to see if
other apps are installed be trying to play media files shipped in other apps or
to data mine the user's music collection by trying to play files from well known
locations (eg, using filenames/paths from popular music download services).

camera service: when it lands, currently apps can record video without the user
knowing since the camera service is the one record and is not subject to
application lifecycle.

media playback service: currently apps can use raw binder over /dev/binder to
hand a file name to play such that an app doesn't have to open it first. This
allows an app to see if other apps are installed be trying to play media files
shipped in other apps or to data mine the user's music collection by trying to
play files from well known locations (eg, using filenames/paths from popular
music download services).

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

References

Plugging the holes in /dev/binder and audio/video playback/recording
From: Jamie Strandboge, 2014-06-13