← Back to team overview

ubuntu-phone team mailing list archive

Re: 3 Bugs


On 09/25/2014 11:18 AM, Marco Trevisan wrote:
> Il 25/09/2014 17:49, Olga Kemmet ha scritto:
>> When we restricted access to the launcher and indicators while
>> passcode/passphrase is set, we received a lot of complains because
>> people thought it is broken. 

Were these people new to the phone or upgraders? If upgraders, it would look
broken because it was a change over what was there.

>> Bottom line, it depends on the type of user what they want to do in the
>> end. Security concerned people will have the option to switch access
>> off, others might not be bothered at all. But if you are just booting up
>> the phone and e.g. set up a simple passcode it is still nice to show
>> what is available.
> I agree with this, but while showing the launcher is generally not
> harmful, the panel might be problematic in case of personal
> notifications (email, tweets, messages) or events (like private
> meetings); while I find that having the ability to quickly change some
> settings might be useful.
> So I think that in case of the panel, the content should have two
> different policies: notification/events (invisible) and options (visible).

What we have now by not restricting access to certain parts of the indicators is
a privacy concern and a security bug. For example, if the phone is locked and
someone picks it up, all texts can be seen, and presumably all facebook chat
messages. The messaging indicator is quite helpful in that it allows one to
respond to these messages without opening the messaging app, so someone can
impersonate me. We can't allow this. Better would be to only notify that texts,
chats, etc have been received with a button to open the app (which ends up
prompting for screen unlock). Eg "5 messages have been received, tap to view".
Making this behavior configurable via System Settings is reasonable.

Being able to change access points via indicator-network is also a security
concern. An attacker could pick up the locked device, change the wifi network to
point to a hostile network, then puts the phone down. Allowing changing to a
network that the user has seen could maybe be done, but that is likely
confusing. Ideally the interface for indicator-network would stay the same, but
certain actions like changing wifi networks would prompt for a password if the
screen was locked. Others like toggling Flight mode might not need a password.

Calendar is tricky. There is a definite privacy leak here but at the same time
it is very handy to be able to see your calendar events on the go. Making this
behavior configurable via System Settings is reasonable.

Looking at the other indicators, most have a 'Settings' option that prompts for
a password (good). Couple of things:
- I'm not particularly concerned about 'Transfers' even though there is an
  information leak there (though why is something so transient so prominently
  featured in the panel?)
- Location detection and GPS on and off: not ideal but could live with them
  without a password
- Bluetooth-- fine as is (no big deal cause you can only turn it off)
- Battery - fine as is
- Sound - fine as is

Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups