On Mon, 26 Sep 2011 10:45:07 -0700 Subbu Srinivasan wrote: > Forget Android security. > > Today in server - foolishly people assume firewalls, DB cannot be hacked > etc. But this is a fallacy.
There are ancient OpenBSD firewalls (non-ipv6) still running without any known remote exploits. I guess you meant the services behind them. Cisco, forget it though Cisco's can be very fast. It is far easier to prevent remote exploits than local ones, OTOH your multiplying attack surface but maybe, if your clever, reducing the window by adding a server, or if your dumb like Blackberry conducting priviledge and risk amalgamation at the server. > In Android, you can put it in sqllite, but that data is persisted somewhere > in disk unencrypted. AFAIK Android does not encrypt anything on flash(unlike > iOS) . So anyone who > roots the device gets full access. Well if someone has root or physical access then the IOS encryption is almost certainly a false sense of security, in many ways. Of course it might stop the local thief in his tracks, but I doubt he'd even look at anything more than media files. The idea of priv seperation per app is debateably! more appropriate and useful, especially as the bugs are found and the architecture fixed becoming more solid. Fairplay to Google and Open Source, priviledge seperation is often overlooked. The ssh keys on my mobile have very limited server access (chrooted sftp access to certain files). Thinking about it, I could add some sanitisation there, it's never ending and so easy to forget something in security, you just hope your ahead of the game. At the end of the day what data are you willing to put in a device that is 'expected' against security best-practice to be always connected and maybe has apps installed willy nilly. That certainly doesn't mean I agree with Google's boss that only criminals want to hide e.g. their browsing habits, how about an innovator who wants to keep a low profile and doesn't want a big company to notice them, hack in and come out with some highly marketed inferior product, likely reducing future innovation in that market. 80% of companies report IPR theft online. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
