On Fri, Oct 1, 2010 at 11:52 AM, Disconnect <[email protected]> wrote:
>> Also, the problem is not specific to Android --- Android just surfaces >> these pre-existing concerns and deals with them better. Not perfectly, >> but better. Other platforms give all apps all the goods all the time, >> no permission screen required. > > OSX keychain is a great counter-example, Unfortunately, it's not. If you download Goat.app, a hypothetical malicious IM app or game, it can debug Keychain, take screenshots of it, spoof its dialogs, keylog it, and so on. Keychain runs as the same UID as Goat. Unix and OS X provide no security boundary between processes running as the same UID. If somebody pops Firefox, your SSH keys, email, documents, et c. are all at risk. (There are mechanisms on OS X like Seatbelt, but, well... what's your Seatbelt policy file look like? In any case I just attached gdb to Keychain Access.app, so...) -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
