On Fri, Oct 1, 2010 at 3:15 PM, Chris Palmer <[email protected]> wrote:
> On Fri, Oct 1, 2010 at 11:52 AM, Disconnect <[email protected]> > wrote: > > >> Also, the problem is not specific to Android --- Android just surfaces > >> these pre-existing concerns and deals with them better. Not perfectly, > >> but better. Other platforms give all apps all the goods all the time, > >> no permission screen required. > > > > OSX keychain is a great counter-example, > > Unfortunately, it's not. If you download Goat.app, a hypothetical > malicious IM app or game, it can debug Keychain, take screenshots of > it, spoof its dialogs, keylog it, and so on. Keychain runs as the same > UID as Goat. Unix and OS X provide no security boundary between > processes running as the same UID. If somebody pops Firefox, your SSH > keys, email, documents, et c. are all at risk. > > Arguably that is a security flaw, not a design/interface flaw. Technically android is just as vulnerable because I can gain root (frequently trivially) and bypass any permissions I like.. > (There are mechanisms on OS X like Seatbelt, but, well... what's your > Seatbelt policy file look like? In any case I just attached gdb to > Keychain Access.app, so...) > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
