On Tue, 6 Mar 2012 18:28:15 -0800 Adrienne Porter Felt wrote: > For example, there is relatively little risk attached to > letting an app turn your Bluetooth on or off.
Are you nuts, how about a local app via qr code phishing switching it on and then a stack exploit by a local attacker or attackers device getting root. Never heard of drive by bluetooth malware and the bugs in the bluetooth stack. Bluetooth is an operating system feature that unfortunately nautilus from the Gnome desktop depends on being installed, when it shouldn't. Google may want the browser to be the OS but >70% of the population never will, it's a foolish strategy for any device that does more than web browsing (which is a useful device) even with sandboxes and everything else they can dream up. I've heard of an android app just ensuring all radio is off in case the person is in an area banning all wireless comms, it may also form part of a companies security policy. I'm glad there are the permissions in Android especially if they were more fine grained mainly to determine a non hacking apps intentions but really the permission model in Android is more of a false sense of security than a security feature, which is worse than no security to those who don't realise that just like apples store where they tell people they audit apps. It's already annoying how firefox depends on dbus and requires Java Just In Time executions being permitted just to run. IPC required! just to write a config file and JIT well just because no one realised it's a dangerous practice that many may want to avoid, I guess. Opera seem? to have realised it. If the web ever comes to us instead of us going to the web it will need policing as seriously as email. Who knows maybe plain text web will come along. (Joking, of course) _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security