Tuesday, March 6, 2007

The platform security book

Some time ago I read Symbian OS Platform Security. I got it mostly because I wanted some answers to my questions on why platform security is implemented the way it is. The book was quite different to what I was hoping for, though.

I had expected it to be mostly theoretical, explaining the concepts in depth. There's a bit of explaining in it, but not nearly as much as I had expected. Instead most of the book is about implementing platform security in apps. Don't get me wrong, there's nothing wrong with those parts, the chapters on writing secure apps, servers, plugins etc. are quite excellent, they just didn't answer my questions.

So I still wonder why they chose to unnecessarily limit access to parts of the file system (eg. why isn't /sys/bin readable? why can't you list the files in /private?). That just reeks of security by default ("we're not sure if this could be a threat, but we'll limit access anyway, just in case"). And why isn't there a mechanism for apps to share protected files? Sure, it's obvious that adding permissions to the file system would have made things more complicated, but instead the people who write the apps have to write their own servers just to share files between apps that trust each other, with all the security implications that comes with it.

As always, when it comes to books from Symbian Press, this one contains a wealth of information on stuff that isn't available anywhere else, and for that reason it's worth reading. Still, I can't help feeling disappointed...

2 comments:

UL-Tomten said...

The three periods at the end tell me you're not going to get mad... but even!

puterman said...

Yes, it seems I have two options:

1. Hack platform security, gain complete access to the system and replace it with a perfectly designed and documented security framework.

2. Write whiny blog posts.