Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Skype or Something Better?



If potentially an attack vector then thinking ahead and asking for a bunch of permissions that are not directly used up-front breaks any permissions firewalling aspect in advance of updates that are actually of any danger to the user.

Considering that app updates over the google play infrastructure only ask for any additional permissions when they are added and asking upfront allows for "silent" updates later (this is a policy level bypass) and anything includable as a plugin in this way can be effectively outside the application and yet still included functionally within it "on demand".

That's for any potential bad-actor use-cases.

Asking for way more permissions as a developer overreach is also a possibility.

Maybe they started with everything permissible,  developed the app and haven't trimmed the permissions back to essentials only is also possible.

This allows for the 2nd case with also the potential (ab)use case outlined initially.


On 22/02/2017 2:27 AM, "Darren Cook" <darren@example.com> wrote:
> A lot of my clients are now requiring a Whatsapp account for
> communicating with their reps.  The "good" program that would run as a
> Linux standalone was forced off the net by Whatsapp's lawyers, but there
> is still a good plug-in (?) that allows you to run the web app as a
> separate window.  The one BIG problem is that you need a keitai with a
> camera for setup, it needs to be left idling while you're online /
> waiting for calls, and the keitai should be running off your WiFi...

BTW, what is the reasoning behind this?

I.e. I have to install an app on my cheap Chinese-built Android phone,
and the app requires permission to poke into just about everything. And
then the desktop version (Linux WebApp or native Windows/Mac app, as far
as I can tell) is basically acting as a dumb client connecting to a
server running on my phone. (IIUC?) That is so weird, there must be a
good reason for it.

Is it about tying it to a phone number? Is this for regulatory purposes,
or as part of the security aspect?

Darren


--
To unsubscribe from this mailing list,
please see the instructions at http://lists.tlug.jp/list.html

The TLUG mailing list is hosted by ASAHI Net, provider of mobile and
fixed broadband Internet services to individuals and corporations.
Visit ASAHI Net's English-language Web page: http://asahi-net.jp/en/

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links