Paul, I know what are you trying to explain but I can't figure out who would leave his phone unattended. I mean, If you leave your phone alone you can bet that you won't find it nevermore, at least in Spain. After that, with or without remote debugger enabled, I'm sure I will steal your passwords.
Despite sometimes the access granted by the debugger could be greater, I would like to suggest to put a reasonable limit on those cases. 2013/9/15 Paul Theriault <[email protected]> > That's certainly a consideration although sometimes the access granted by > the debugger is greater. Someone using your phone could read your emails, > where as someone with debug access can read your email password - which, if > its your gmail password for example, give access to other services. There > are only a few cases like this currently that I can think of - email , > wifi, passcode (set but not enabled) - and could be worse depending on who > you use for your email/wifi etc. > > Also consider the 'evil maid' attack (short-term unauthorized access). You > leave your device unattended for a short amount of time, someone plugs your > phone in to a laptop and uses debugger to dump all your emails and sms > messages to peruse later at their leisure. They steal your passwords and > social network cookies. This could be done in less that a few minutes and > since you didn't lose your device, you would be none-the-wiser. > > > On Sep 15, 2013, at 8:52 AM, Jim Blandy wrote: > > > On 09/10/2013 10:58 AM, Paul Theriault wrote: > >> My proposal makes its more difficult for someone with physical access > to a phone without a passcode to steal sensitive app data. If we limit > which apps you can debug as I described above, in order to get access to > app data, you still need root access to the phone. If we allow access to > debug all apps, this bar is lowered, so that you can access the app data by > enabling debugging. > > If the phone is stolen and no passcode is set, then I can access app > data by starting the apps, too. I have access to any web accounts those > apps might be tied to, and so on. Aren't the dev tools just a rather > painful method of doing what our UI people are trying to make as easy and > as pleasant as possible via other means? > > > > _______________________________________________ > > dev-b2g mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-b2g > > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g > _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
