Installing homebrew apps w/out rooting - Page 9

TMed_ATL · 06/22/2009, 09:51 AM

Thanks Guys keep up the great work!!

tharris · 10:08 AM

I want to applaud the community (xorg, sff, potter) for reversing the ability to install packages without rooting. However, being a security person, this is very dangerous and I have to agree with rwhitby (nice post btw) that not only do i expect Palm to patch this, but I hope they do and maybe this helps to release the SDK earlier. It is self evident that this community eagerly wants to develop apps, even if an SDK is not finished. All that being said, I want to develop apps as well, just not put the phone in a position where malware can run rampant.

-tharris

Khidr · 06/22/2009, 10:10 AM

Agreed with tharris, in the long run there's really nothing wrong with requiring dev mode and/or rooting to install homebrew. It's a few extra steps, but those steps require the user to actively engage in what they're doing on their phone and (hopefully) pay attention, without opening the door to malicious code.

That said, Palm could also solve this with a universal pop up, warning the user that they are clicking on an installable file, and prompting them to either install or cancel.

kaminsky · 06/22/2009, 10:15 AM

This is fantastic! Thanks guys!

Dieter Bohn · 06/22/2009, 10:21 AM

Quote:

Originally Posted by DeusInnomen

Hmmm. Hey Dieter, I use your bit.ly link in an email sent to my phone and clicked it, but all it did was kept opening Web cards over and over until I punched Stop.

When I sent the real URL of the ipk, though, it worked.

Is the app supposed to do anything though? Nothing actually launches for me.

yeah, just realizing that. I've fixed the email link -- sorry about the hassle.

and yes - the app is more proof of concept than anything, it doesn't launch.

HUGE props to the devs!!

sir_mycroft · 10:30 AM

Worked. Success. Congrats all.

Now awaiting Palm's response.

Will we need a home brew application thread?

Please?

Get on it guys.

EDIT: BTW SimplyFlipFlops shows up as v 0.9.99 under device info. Very Cool.

jf1081 · 06/22/2009, 10:47 AM

Quote:

Originally Posted by tharris

However, being a security person, this is very dangerous and I have to agree with rwhitby (nice post btw) that not only do i expect Palm to patch this, but I hope they do and maybe this helps to release the SDK earlier.

I would like to see the SDK released as early as possible too, but not sure that limiting the way apps are installed would solve security isues. True, it can be hidden better in the email method, but who click links from emails they do not recognize anyway? I think adding a popup that says you are about to install something would be all that is necessry (maybe even have you punch in your own personal auth code).
After all, whether I email myslef an app or downlwod an app made with the SDK, a homebrew from somebody you don't know could be dangerous - what is to stop somebody from making an improved flashlight app (with added strobe funtion and plays techno music) that secretely sends me the user name and password your phone uses to conenct to your email?

PreGame · 06/22/2009, 10:52 AM

Just an FYI it sounds like from what I hear that palm did not plan on this to work through email like it does. Sounds like they will be fixing it in the next patch

Manding0 · 06/22/2009, 10:59 AM

You guys are the best!! Keep up the good work I cant wait to start installing all the toys in the wiki thru this route. Ive been scared to root my Pre its a bit advance stuff for me.

windzilla · 06/22/2009, 11:09 AM

PreGame, do you have any idea if fixing means encorporating a warning type message, now or potentially in the future. Or does it mean just closing off the ability all together.

I assume that for now they will close completely and if they will allow email link install with warning it will be in a future release.

Honestly that simplyflipflops app installs so damn quickly and without you knowing it it is a little scary, even a diligent person could open an email and brush the link accidentally installing it, and never knowing that it was installed. There isn't even a "you have successfully installed X" to tell you what has been done.

scuba_steve · 06/22/2009, 11:22 AM

I haven't read this whole thread, so I will apologize in advance, but I am somewhat confused. Is the test app supposed to do anything?

I got the app installed...and I see its icon in the launcher...and that's it. Clicking the icon does nothing. That is not really a proof of concept or a "hello world" app in my book. The test app should at least open a new card with text...to demonstrate that we deployed something beyond an icon and a JSON file..and that what we deployed has permission to execute. Something like this:

http://forums.precentral.net/web-os-...ml#post1677345

Am I missing something?

Either way, absolutely fantastic job to all of those involved!

cheers,
Steve

DeusInnomen · 06/22/2009, 12:10 PM

I already asked that question, scuba, and the answer is No, it doesn't do anything except get installed.

As a developer, I'm also fairly concerned about the security risk of this installation method. If it were me, I'd require two things: 1) A valid SSL signature for the package (if that were even possible) and 2) a pop-up dialog verifying the action. I can certainly see advantages to being able to deploy an app via a web link, but it has to be done in a manner that prevents it from also being abused by malicious apps.

Just my two cents. Damn impressed you guys managed this, though. Somebody get me a flashlight app before the hole gets patched up. *grin*

OldFiver · 06/22/2009, 12:11 PM

I typed that address into my browser and got the same multiple empty pages as jf1081, and after I closed them all I looked for and found Speed Brain. Now what?

as4life · 06/22/2009, 12:33 PM

Quote:

Originally Posted by OldFiver

I typed that address into my browser and got the same multiple empty pages as jf1081, and after I closed them all I looked for and found Speed Brain. Now what?

don't type it in the browser. All you do is email that link to yourself. When you click the link it won't do anything. Than check the launcher and it should be in the bottom of your first page.

simplyflipflops · 06/22/2009, 12:33 PM

Quote:

Originally Posted by scuba_steve

I haven't read this whole thread, so I will apologize in advance, but I am somewhat confused. Is the test app supposed to do anything?

It allows you to wear your flip flops to work on Friday with your Hawaiian shirt.

OldFiver · 06/22/2009, 12:44 PM

How did you know I was from Hawaii? :-)

spotter · 06/22/2009, 12:51 PM

as I've told others, at this point, the only way palm can prevent this hole from working is by making the current webos doctor non functional.

That doesn't mean they can't patch the hole. They can and they should and i expect they will. What it does mean, is that as long as the current webos doctor works, we can downgrade to 1.00, use the hole to "root" the pre wirelessly, and then upgrade to the current patched code.

For many users who want to run homebrew stuff, or apps that require other native functionality (say their own dbus stuff), this provides an easier method of rooting the pre as it doesn't require any linux knowledge, as all one has to do is

1) web os doctor their pre
2) email themselves a links
3) upgrade to latest set of packages palm has put out.

while it can be more steps than using the dev mode on a fully updated pre, its something my mom can do, while the devmode is not something she can do.

scuba_steve · 06/22/2009, 01:33 PM

Quote:

Originally Posted by simplyflipflops

It allows you to wear your flip flops to work on Friday with your Hawaiian shirt.

Can you tell that to my boss?

BTW, awesome job!

I guess my real question is this - does the app not display anything because the package just contains icon.png and appinfo.json files and not an index.html file...or are we seeing security issues that allow us to install, but that do not allow us to execute?

Either way, killer stuff! Thanks!

huh · 06/22/2009, 01:51 PM

I share the same concerns as those above it seems... As much as I love the development being done to the Palm, warning flags go off when I see the work being done with installing applications without root/admin access. Though its excellent for the homebrew scene, it could potentially allow for legit 'non-free' applications to be installed such as Classic that would undermine the store front not to mention the potential viruses/malware it can bring.

Either way this is an amazing step in the right direction. I don't think I have seen a homebrew scene as fast moving as this other than the recent (and somewhat illegit) developments for the Wii!

xorg · 06/22/2009, 02:05 PM

No response from Palm. They apparently released a statement that they won't get in the way of homebrew w/out being very specific.

I'll be working on the Dev Wiki tonite, posting more details on how to do this. Or you can peruse the thread if already familiar with packaging.

pre dev wiki: Installing Apps without Rooting - SUCCESS!

06/22/2009, 09:51 AM	#161 (permalink)
TMed_ATL Member Join Date: May 2009 Location: ATL/ Athens, GA Posts: 413 Likes Received: 0 Thanks: 61 Thanked 27 Times in 24 Posts	Thanks Guys keep up the great work!!
	Liked by

06/22/2009, 10:00 AM	#162 (permalink)
tharris Member Join Date: Jun 2009 Posts: 25 Likes Received: 0 Thanks: 1 Thanked 16 Times in 3 Posts	I want to applaud the community (xorg, sff, potter) for reversing the ability to install packages without rooting. However, being a security person, this is very dangerous and I have to agree with rwhitby (nice post btw) that not only do i expect Palm to patch this, but I hope they do and maybe this helps to release the SDK earlier. It is self evident that this community eagerly wants to develop apps, even if an SDK is not finished. All that being said, I want to develop apps as well, just not put the phone in a position where malware can run rampant. -tharris Last edited by tharris; 06/22/2009 at 10:08 AM.
	Liked by

06/22/2009, 10:10 AM	#163 (permalink)
Khidr Member Join Date: Jan 2009 Location: Philadelphia Posts: 73 Likes Received: 0 Thanks: 6 Thanked 6 Times in 6 Posts	Agreed with tharris, in the long run there's really nothing wrong with requiring dev mode and/or rooting to install homebrew. It's a few extra steps, but those steps require the user to actively engage in what they're doing on their phone and (hopefully) pay attention, without opening the door to malicious code. That said, Palm could also solve this with a universal pop up, warning the user that they are clicking on an installable file, and prompting them to either install or cancel.
	Liked by

06/22/2009, 10:15 AM	#164 (permalink)
kaminsky Member Join Date: Jun 2009 Posts: 12 Likes Received: 0 Thanks: 4 Thanked 1 Time in 1 Post	This is fantastic! Thanks guys!
	Liked by

06/22/2009, 10:24 AM	#166 (permalink)
sir_mycroft Member Join Date: Dec 2001 Posts: 849 Likes Received: 0 Thanks: 65 Thanked 308 Times in 54 Posts	Worked. Success. Congrats all. Now awaiting Palm's response. Will we need a home brew application thread? Please? Get on it guys. EDIT: BTW SimplyFlipFlops shows up as v 0.9.99 under device info. Very Cool. Last edited by sir_mycroft; 06/22/2009 at 10:30 AM.
	Liked by

06/22/2009, 10:52 AM	#168 (permalink)
PreGame Pre Developer Join Date: Jun 2009 Posts: 550 Likes Received: 0 Thanks: 24 Thanked 793 Times in 81 Posts	Just an FYI it sounds like from what I hear that palm did not plan on this to work through email like it does. Sounds like they will be fixing it in the next patch
	Liked by

06/22/2009, 10:59 AM	#169 (permalink)
Manding0 Member Join Date: Jun 2009 Posts: 114 Likes Received: 0 Thanks: 0 Thanked 5 Times in 5 Posts	You guys are the best!! Keep up the good work I cant wait to start installing all the toys in the wiki thru this route. Ive been scared to root my Pre its a bit advance stuff for me.
	Liked by

06/22/2009, 11:09 AM	#170 (permalink)
windzilla Member Join Date: Jun 2009 Location: The Woo, MA Posts: 1,438 Likes Received: 3 Thanks: 287 Thanked 464 Times in 250 Posts	PreGame, do you have any idea if fixing means encorporating a warning type message, now or potentially in the future. Or does it mean just closing off the ability all together. I assume that for now they will close completely and if they will allow email link install with warning it will be in a future release. Honestly that simplyflipflops app installs so damn quickly and without you knowing it it is a little scary, even a diligent person could open an email and brush the link accidentally installing it, and never knowing that it was installed. There isn't even a "you have successfully installed X" to tell you what has been done.
	Liked by

06/22/2009, 11:22 AM	#171 (permalink)
scuba_steve Member Join Date: May 2007 Location: Northern Virginia Posts: 635 Likes Received: 19 Thanks: 63 Thanked 212 Times in 110 Posts	I haven't read this whole thread, so I will apologize in advance, but I am somewhat confused. Is the test app supposed to do anything? I got the app installed...and I see its icon in the launcher...and that's it. Clicking the icon does nothing. That is not really a proof of concept or a "hello world" app in my book. The test app should at least open a new card with text...to demonstrate that we deployed something beyond an icon and a JSON file..and that what we deployed has permission to execute. Something like this: http://forums.precentral.net/web-os-...ml#post1677345 Am I missing something? Either way, absolutely fantastic job to all of those involved! cheers, Steve
	Liked by

06/22/2009, 12:10 PM	#172 (permalink)
DeusInnomen Homebrew Developer Join Date: May 2009 Location: Elgin, IL Posts: 91 Likes Received: 0 Thanks: 35 Thanked 16 Times in 9 Posts	I already asked that question, scuba, and the answer is No, it doesn't do anything except get installed. As a developer, I'm also fairly concerned about the security risk of this installation method. If it were me, I'd require two things: 1) A valid SSL signature for the package (if that were even possible) and 2) a pop-up dialog verifying the action. I can certainly see advantages to being able to deploy an app via a web link, but it has to be done in a manner that prevents it from also being abused by malicious apps. Just my two cents. Damn impressed you guys managed this, though. Somebody get me a flashlight app before the hole gets patched up. grin
	Liked by

06/22/2009, 12:11 PM	#173 (permalink)
OldFiver Member Join Date: Jun 2009 Posts: 2 Likes Received: 0 Thanks: 0 Thanked 0 Times in 0 Posts	I typed that address into my browser and got the same multiple empty pages as jf1081, and after I closed them all I looked for and found Speed Brain. Now what?
	Liked by

06/22/2009, 12:44 PM	#176 (permalink)
OldFiver Member Join Date: Jun 2009 Posts: 2 Likes Received: 0 Thanks: 0 Thanked 0 Times in 0 Posts	How did you know I was from Hawaii? :-)
	Liked by

06/22/2009, 12:51 PM	#177 (permalink)
spotter Member Join Date: Jan 2003 Location: New York Posts: 316 Likes Received: 6 Thanks: 0 Thanked 13 Times in 8 Posts	as I've told others, at this point, the only way palm can prevent this hole from working is by making the current webos doctor non functional. That doesn't mean they can't patch the hole. They can and they should and i expect they will. What it does mean, is that as long as the current webos doctor works, we can downgrade to 1.00, use the hole to "root" the pre wirelessly, and then upgrade to the current patched code. For many users who want to run homebrew stuff, or apps that require other native functionality (say their own dbus stuff), this provides an easier method of rooting the pre as it doesn't require any linux knowledge, as all one has to do is 1) web os doctor their pre 2) email themselves a links 3) upgrade to latest set of packages palm has put out. while it can be more steps than using the dev mode on a fully updated pre, its something my mom can do, while the devmode is not something she can do.
	Liked by

06/22/2009, 01:51 PM	#179 (permalink)
huh Member Join Date: Jun 2009 Posts: 26 Likes Received: 0 Thanks: 6 Thanked 1 Time in 1 Post	I share the same concerns as those above it seems... As much as I love the development being done to the Palm, warning flags go off when I see the work being done with installing applications without root/admin access. Though its excellent for the homebrew scene, it could potentially allow for legit 'non-free' applications to be installed such as Classic that would undermine the store front not to mention the potential viruses/malware it can bring. Either way this is an amazing step in the right direction. I don't think I have seen a homebrew scene as fast moving as this other than the recent (and somewhat illegit) developments for the Wii!
	Liked by

06/22/2009, 02:05 PM	#180 (permalink)
xorg Member Join Date: Jun 2009 Location: kansas city, mo Posts: 633 Likes Received: 0 Thanks: 85 Thanked 303 Times in 146 Posts	No response from Palm. They apparently released a statement that they won't get in the way of homebrew w/out being very specific. I'll be working on the Dev Wiki tonite, posting more details on how to do this. Or you can peruse the thread if already familiar with packaging. pre dev wiki: Installing Apps without Rooting - SUCCESS!
	Liked by

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode