ubuntu-phone team mailing list archive

[Ondrej Kubik <ondrej.kubik@xxxxxxxxxxxxx>]

On Tue, Jul 8, 2014 at 1:39 PM, Christian Dywan <
christian.dywan@xxxxxxxxxxxxx> wrote:

> On 08.07.2014 13:57, Oliver Grawert wrote:
> > hi,
> > Am Dienstag, den 08.07.2014, 07:11 -0400 schrieb Marc Deslauriers:
> >
> >> I just want adb to refuse connections if they are attempted _while_ the
> screen
> >> is locked. If adb is already servicing a connection, it doesn't need to
> drop it
> >> when the screen then locks.
> > so how would you as a developer then debug a not starting UI session (in
> > which case you wouldn't even have the info if the screen is locked or
> > not due to not having the respective dbus service available... )
> >
> > this is a "debug and development shell", to enable it you made a
> > conscious decision to do so and it required you to set a password so
> > nobody can "just sudo" by knowing the default password ...
> > if you did that conscious decision it is also up to you to make sure to
> > disable it again or live with the insecurity you introduced ... i think
> > the major point is that by default adbd is disabled and can only be
> > enabled if you took active action. once it is enabled you actively added
> > insecurity anyway.
> >
> How about enabling adb based on HMAC similiar to a Yubikey? So if you
> were to steel somebody's phone you'd have to unlock it and enable adb once.
>
How about having list of granted USB devices which can access adb over usb,
and when user wants to add new computer to granted list, Ubuntu1 password
would be required.
So phone will remain secure even when developer mode is enabled and unknown
computer is attached.

>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help   : https://help.launchpad.net/ListHelp
>
>