On Tue, 6 Mar 2012 18:28:15 -0800 Adrienne Porter Felt wrote: > For example, there is relatively little risk attached to > letting an app turn your Bluetooth on or off.
How about a local app introduced via qr code phishing switching it on and then a stack exploit by a local attacker or attackers device getting root. What about bluetooth malware and the bugs in the bluetooth stack. Bluetooth is an operating system feature that unfortunately nautilus from the Gnome desktop depends on being installed, when it shouldn't. Google may want the browser to be the OS but >70% of the population never will, it's a foolish strategy for any device that does more than web browsing (which is a useful device) even with sandboxes and everything else they can dream up. Many security specialist have said the modern web browser is already too much of a bloated umbrella and they are right. I've heard of an android app just ensuring all radio is off in case the person is in an area banning all wireless comms, it may also form part of a companies security policy. I'm glad there are the permissions in Android especially if they were more fine grained mainly to determine a non hacking apps intentions but really the permission model in Android is more of a false sense of security than a security feature, which is worse than no security for those who don't realise it can be bypassed similar to apples store where they tell people they audit apps. If the web ever comes to us instead of us going to the web it will need policing as seriously as email. Who knows maybe plain text web will come along. (Joking, of course) _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security