ubuntu-phone team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 04/03/2015 02:47 PM, Michał Sawicz wrote:
> W dniu 03.04.2015 o 21:44, Matthias Apitz pisze:
>> El día Friday, April 03, 2015 a las 09:32:33PM +0200, Michał Sawicz escribió:
>>
>>> W dniu 03.04.2015 o 21:13, Matthias Apitz pisze:
>>>> I.e. the phone is completely open on all ports!!! Can I activate and
>>>> configure some inbound firewall in the phone?
>>>
>>> Well, you *opened* that port to listen on, how is that not expected?
>>
>> Of course I did, to run this test.
>>
>>> Isn't not listening on any outside port better than putting a firewall
>>> on the device? If you find a service that is actually listening on the
>>> device, that'd definitely be a bug that needs fixing.
>>
>> The device is at least (after enabling SSH) listening on port 22.
> 
> Yes, after enabling it, which is a developer thing to do.
> 
>>> Can you describe an attack vector you're imagining that would require a
>>> firewall to be installed on the device?
>>
>> The above mentioned port 22 and any other any app may LISTEN on.
> 
> Apps are confined, they can not open ports to listen on.
> 
Apps are confined, but currently they *can* open ports to listen on, but closing
that down isn't a huge barrier since it is easy enough for a malicious app to
program a reverse shell. However, because the app is confined, the reverse shell
can't be used to control the device or steal user data.

That said, this is one of those areas where we use a combination of application
confinement and store policies to protect systems and the user-- if a malicious
app in the store is reported to provide a remote shell to do something bad, well
remove it from the store.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature