Security in OpenMoko

[Mikkel Meyer Andersen]

Hi all,

First of all I'll like to say hello to all. I'm quite new at the 
OpenMoko-thingie (a Neo 1973 is on the way although - waiting with 
patience), so I hope you'll bear with me for minor (and major :-)) mistakes.

And now to the actual subject: is every application on OpenMoko running 
as root?

For a couple of weeks ago I wrote a post on this matter on my blog [1] 
and just today I saw  that iPhone had exactly that flaw [2].

Allow me to quote myself partly from a mail to Sean Moss Pultz about 
this [3] sent 17th of September 2007, and partly to refer to me writing 
about it at the discussion site for the wiki [4].

I don't hope that I've offended anyone, that was certainly not the 
purpose. I just think security is a huge point of interest and should 
draw a sufficient amount of focus from us developers.

Regards,
Mikkel Meyer Andersen aka. mikl-dk
Denmark

---

[1]: http://www.scienco.org/2007/openmoko/always-root/
[2]: http://www.eweek.com/article2/0,1895,2191373,00.asp
<3>
Triggered by the question whether every execution of an application is 
done by the root-user, I started to wondering about the security in 
OpenMoko in general. Actually I found very little - near to nothing - 
about it, and I personally think that's inappropriate for this project. 
We simply have to focus very much on security so that isn't going to be 
a pitfall. So please, let's focus on this! If desired, I'll be glad to 
join such a "task-force". Many other manufactures don't focus that much 
on security, and one is starting to talk about viruses on mobile phones 
and so on. I think it's very important to make security an issue in 
OpenMoko. (It could be a small-scale solution known from *nix such as 
the daily use was under a normal user account and the root account was 
required in order to install applications and change certain system 
settings; and the root should have a password - or maybe even use sudo 
or something.)
</3>
[4]: http://wiki.openmoko.org/wiki/Talk:Main_Page