In the interest of maintaining good homebrew application installation, non-interference, and security standards, I recently paid $14.95 to gain access to the commercial version of MyTether for the purpose of doing a review of it's installation practices, interference with other unrelated webOS functions, and overall security, and giving feedback on those aspects to the author with the hope that any discrepancies can be corrected before the next public release.

Please note that this is a review of the installation, non-interference, and security of MyTether only. I intentionally make no comment about any other aspects of the application itself or the way that it is distributed or sold, or it's relationship with cellular carriers, and would prefer that this thread is not used to discuss the various viewpoints held about those other aspects of MyTether. There are plenty of other threads where you can voice your opinion on those matters.

In my opinion, the importance of making sure that every homebrew application is using best practices for correct installation and safe removal, non-interference with unrelated webOS functionality, and general security, outweighs any other considerations about the functionality or distribution of the particular application itself. "First, do no harm".

As you may know, previous versions of MyTether up to and including 2.0.x installed a service directly using the Palm ipkg database in /usr/lib/ipkg (the same database that Palm uses to manage the built-in webOS operating system files during the initial installation and subsequent OTA updates).

This is not in line with best practices for homebrew installations, and is generally considered to be a contributing factor to the recurring OTA update syndrome.

I can report that Aonic has accepted my suggestions regarding the installation techniques and in version 2.1.0 of MyTether has changed his installation method to use the ipkg database in /media/cryptofs/apps/usr/lib/ipkg (the same ipkg database used by other homebrew installers), and to use standard post-install and pre-remove scripts to safely install and remove non-colliding filenames in the root partition.

This means that the underlying installation techniques used by MyTether are now done in the same manner as all the other services and plugins from various homebrew authors including WebOS Internals, Canuck Software, Vertigo Studios, TheBitGuru.com and others, according to best practices developed by WebOS Internals for homebrew packaging standards.

Aonic has also accepted my suggestions regarding the upstart script and java service filename, which also brings MyTether in line with the best practices for naming, starting and stopping services. This should remove the possibility of "service respawn storms" which are considered to be a contributing factor to device freezes in certain circumstances.

Previous versions of MyTether also interfered with unrelated webOS functions, such as the camera and SDL games.

I can now report that the version 2.1.0 of MyTether that I reviewed no longer interferes with other unrelated webOS functions. The camera and SDL games operate correctly when MyTether wifi operations are enabled.

I have also done an initial visual scan of the security of the MyTether service from the point of view of whether a rogue webOS application could use the service to gain root privileges on the device (this is a common mistake made by service authors trying to bridge the gap between webOS and the underlying Linux operating system).

On this matter, I was not 100% comfortable that the service is calling shell scripts without explicitly sanitising the input given to the service, but the author proved to me that trivial attacks on the service were not successful in the manner that I had suspected. More investigation is needed by some of our security experts in WebOS Internals before I will be 100% comfortable, but it's certainly not trivially vulnerable.

So, in summary, again with regard specifically to the installation, non-interference, and security aspects of MyTether, it seems that version 2.1.0 has now reached the point where it should safely install and uninstall in accordance with homebrew best practices, not interfere with other unrelated webOS functions, and not trivially compromise the security of the device.

Again, I intentionally make no comment about any other aspects of the application itself or the way that it is distributed or sold, or it's relationship with cellular carriers, and would prefer that this thread is not used to discuss the various viewpoints held about those other aspects of MyTether.

-- Rod

Reply