There is no protection on the SD card (except the small one to be able to write, but certainly nothing from the computer).
The SD is thus not a secure storage area, and the platform is careful about what goes there. This is one of the reasons why apps on SD card took so long: for that to be implemented securely, installing an app there needed to be done in such a way that nobody but the system could tamper with it. This is accomplished by making an "asec" file on the SD card in which an app is installed. An asec file is an encrypted filesystem, and only the system has the key for it. The filesystem enforces permissions, so apps in Android can't modify its contents, and nobody but the system itself can modify anything through the asec file because they don't have the key for it. Also the SD card is mounted "noexec" so nobody can put executable code there. On Fri, Aug 27, 2010 at 7:40 AM, Eric Dorman <[email protected]> wrote: > Hey Tauren, > > Actually you are making perfect sense I think. > > I guess I was looking at it from the standpoint of something totally > different,but I'm glad I asked it. :) > > So if I am understanding you correctly then the sdcard protects the > phone from saving any files to the sdcard since the permissions are > limited to read only? > > Thanks for clearing this up Tauren I guess I didn't look close enough > at what it was really saying. > > > > On Aug 27, 10:31 am, Tauren <[email protected]> wrote: > > I think you are thinking about this wrong, what this I believe is > > directed to is that you have no permissions on necessarily on files on > > an sdcard. So If I hook the phone up to the computer and I mount the > > sdcard you no longer have access to the files because its mounted to > > the computer. More so the security of the phone is not enforced upon > > the files so you may not have permissions assigned to say a document > > on an sdcard such that it is read only. When you mount a filesystem > > on say an sdcard you end up with the permissions of the user that > > mounted the files, thusly yourself. This is normal behavior unless > > there is something I'm not picking up here from the wording. > > > > On Aug 27, 10:25 am, Eric Dorman <[email protected]> wrote: > > > > > > > > > Ok, um I'll try to cite it. > > > > > Maybe I have this completely wrong. > > > > > "External files can disappear if the user mounts the external storage > > > on a computer or removes the media, and there's no security enforced > > > upon files you save to the external storage. All applications can read > > > and write files placed on the external storage and the user can remove > > > them." > > > > > -Android Dev Docs > > > > > Say I hooked up my phone to the computer and I wanted to transfer some > > > files like maybe a media file or something like that. > > > > > Not the best example I know,but I hope it gives you an idea of what I > > > am thinking. > > > > > On Aug 27, 10:13 am, Tauren <[email protected]> wrote: > > > > > > I'm still a little confused by your wording. What do you define > > > > external storage as? Can you cite this area of the dev docs? More > > > > could you give a better example? > > > > > > On Aug 27, 10:03 am, Eric Dorman <[email protected]> wrote: > > > > > > > Hey Tauren, > > > > > > > It would be a attack from the computer to the phone in some sort of > > > > > file transfer. > > > > > > > I guess what I am trying to say is what if a user connects the > device > > > > > into the computer and has files on the computer that he wants to > > > > > transfer to the device via a USB Mass Storage? > > > > > > > I believe from the dev docs that it said external files can > disappear > > > > > if the user puts the external storage on the computer. > > > > > > > I hope I am not confusing anyone or asking a dumb question. > > > > > > > I am just curious. :D > > > > > > > On Aug 27, 9:40 am, Tauren <[email protected]> wrote: > > > > > > > > Is this an attach on the phone itself via the sdcard? or an > attack on > > > > > > the computer? For an attack on the computer to occur the > software > > > > > > often needs to be run, which from the sdcard shouldn't happen. > As > > > > > > for attacking the phone I'll leave that up to the experts but I > > > > > > suspect that the phone won't just run stuff. If its a vulnerable > > > > > > document of some sort like say a PDF then it comes down to the > user > > > > > > and knowing not to open things he shouldn't. > > > > > > > > On Aug 27, 9:21 am, Eric Dorman <[email protected]> wrote: > > > > > > > > > Hey guys, > > > > > > > > > I have recently been reading up on the External Storage > Documentation > > > > > > > and I have a question that I wanted to address before I made > any > > > > > > > assumptions. :D > > > > > > > > > If you can write files to lets say the SD Card then if the user > > > > > > > connects his/her device into a computer then couldn't the > External > > > > > > > Storage be vulnerable to some kind of security attack on the > files in > > > > > > > the External Storage System that have been saved? > > > > > > > > > I am not sure if this would count as a vulnerability,but I > thought I'd > > > > > > > ask before I go and report it. :( > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
