On 09/15/2013 04:41 AM, Paul Theriault wrote:
That's certainly a consideration although sometimes the access granted by the
debugger is greater. Someone using your phone could read your emails, where as
someone with debug access can read your email password - which, if its your
gmail password for example, give access to other services. There are only a few
cases like this currently that I can think of - email , wifi, passcode (set but
not enabled) - and could be worse depending on who you use for your email/wifi
etc.
Also consider the 'evil maid' attack (short-term unauthorized access). You
leave your device unattended for a short amount of time, someone plugs your
phone in to a laptop and uses debugger to dump all your emails and sms messages
to peruse later at their leisure. They steal your passwords and social network
cookies. This could be done in less that a few minutes and since you didn't
lose your device, you would be none-the-wiser.
1) This is possible.
2) If I am being targeted by a person with such exploit software on
their laptop, and I haven't set a security code on my phone, someone
somewhere has paid too much.
3) If I ever have the good fortune to visit Sydney, my first priority
will be stealing JT's phone. :)
More seriously: if a user's phone is stolen, their concern will be for
their messages, their mail, their photos, and so on, which the thief has
access to, protocol or not. The thief has access to their email account,
and thus can probably use password recovery to change the victim's
passwords to whatever they like. These are what the user fears, not the
additional exposure via mechanized access. The differential emotional
salience (?!?) of the latter seems quite limited, to me.
The benefit of exposing the protocol, with a light activation burden,
for all our users, is major. It is directly in line with our goals:
helping the web be a vibrant, creative medium; providing an on-ramp and
lowering barriers to entry for new creators in new markets; and making a
device that answers to the user first.
The best way to help users with stolen phones would be to provide a
remote kill facility, not to make the phone harder to hack on for all
our technical users who have not had their phones stolen.
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
