Page 2 of 2 FirstFirst 12
Results 21 to 32 of 32
  1. Daemon's Avatar
    Posts
    796 Posts
    Global Posts
    809 Global Posts
    #21  
    Firstly, no it won't be included in the App Catalog even if it uses a Service.
    Although a recent front page article mentions a new app with a "plugin" that
    may provide enhanced functionality so hard to say what that gives you.
    As for why bothering to not violate the security model. As I said, the LED flashlight
    app used to do what you're trying to do (app calls service which calls shell scripts and commands)
    and it got some heat from the WebOS internals developers and others, and
    as far as I can tell has been completely disappeared. It's not in Preware any more.
    The complaint was that it left a huge security hole that would allow any WebOS
    app to call those shell scripts or commands.

    ian
    Last edited by Daemon; 12/07/2009 at 04:19 PM.
  2. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
    #22  
    Please read my thread and see my response, here

    As for the Flashlight app, i remember it resided on Jason R.'s server and for some reason it went down and I remember him saying that he was working on getting it back up. I don't know the most recent reason it's not available but that was the reason a while ago.
  3. #23  
    Quote Originally Posted by Daemon View Post
    What you're trying to do fundamentally violates the security model of WebOS.
    You can't access some other app's data or files directly using anything in the
    Mojo SDK which means no WebOS app can access the palm databases directly.
    You can't call shell scripts from WebOS apps, period.
    Services (written in Java or C) are meant to be the interface between WebOS and the Pre's linux underpinnings.
    When others say to write a service to access the data, they
    don't mean write a service to call a shell script to access the data.
    That can be done but it also violates the security WebOS model and is an unsupported
    model. The old LED flashlight app did that and it's been since removed. What
    they mean is to write a background service which accesses the data directly
    through Java or C SDKs, and then exposes specific methods which can be called
    by WebOS apps.

    Examples of current services.
    GStreamer Service (used by PreRecorder)
    Package Manager Service (used by Preware)
    Accelerometer Service (used by various apps to speed up tilt sensor sample rate)
    FileMgr Service (used by Internalz)

    ian
    A service is a security breach if it allows things to be done that constitute a security breach.

    A service which allows a generic command to be executed is an example of such.

    All the services above do very specific things, none of which are security breaches.

    All the Palm built-in services also do very specific things, none of which are security breaches.

    The determination of whether it is a security breach is based on what the service allows a rogue webOS application to do. There is nothing wrong with services in general, the thing that is wrong is services (like one that allows any command to be run) that are written with no regard for security.

    All services in the WebOS Internals feed are written with specific security requirements in mind, and are safe to install.

    There *is* a very old flashlight tar file on lunaware.com which contains a service which has a security breach. That one, and a very old version of MyTether are the only two that are still floating around. Both have had updates since which fix the problem.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  4. #24  
    Quote Originally Posted by Daemon View Post
    Firstly, no it won't be included in the App Catalog even if it uses a Service.
    Although a recent front page article mentions a new app with a "plugin" that
    may provide enhanced functionality so hard to say what that gives you.
    As for why bothering to not violate the security model. As I said, the LED flashlight
    app used to do what you're trying to do (app calls service which calls shell scripts and commands)
    and it got some heat from the WebOS internals developers and others, and
    as far as I can tell has been completely disappeared. It's not in Preware any more.
    The complaint was that it left a huge security hole that would allow any WebOS
    app to call those shell scripts or commands.

    ian
    A service that allows *any* command to be run with root privileges is a problem.

    A service which calls a very specific shell script with a fixed command sequence that in itself has no security issues is not a problem.

    Please don't spread misinformation about services in general. Palm itself has services that call shell scripts.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  5. Daemon's Avatar
    Posts
    796 Posts
    Global Posts
    809 Global Posts
    #25  
    So are there any HB apps using their own services that will make it to the app catalog?
    I didn't say they couldn't be secure (quite the opposite in fact).
    I said they're not currently allowed by Palm from the outside dev community.
    Is that wrong? Last I saw, they weren't allowing any app from
    wild developers that calls anything outside the Mojo SDK. True or false?

    ian
  6. #26  
    Quote Originally Posted by Daemon View Post
    So are there any HB apps using their own services that will make it to the app catalog?
    I didn't say they couldn't be secure (quite the opposite in fact).
    I said they're not currently allowed by Palm from the outside dev community.
    Is that wrong? Last I saw, they weren't allowing any app from
    wild developers that calls anything outside the Mojo SDK. True or false?
    You are absolutely correct that an app that depends on a custom service will not get into the app catalog, unless the service is installed on the device by Palm (as is the case for the Classic app).

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  7. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
    #27  
    Daemon, I am not trying to pick a fight here, but frankly I didn't need your input on whether Palm will allow an App in the App Catalog if said App requires a service. The whole reason I started posting in this thread was because I was trying to make my app NOT require an additional service but rather utilize the services built into the Pre so that it might be included in the App Catalog. As it turns out, it is not going to be possible through this route.

    What through me for a loop, was the comment below....especially because some guys from webos-internals.org [while they had problems with me tarballing the PalmDatabase.db3] were fully aware of what my app did and how it accomplished it. re:calling a service which calls a script.

    As I said, the LED flashlight app used to do what you're trying to do (app calls service which calls shell scripts and commands)and it got some heat from the WebOS internals developers and others, and as far as I can tell has been completely disappeared. It's not in Preware any more. The complaint was that it left a huge security hole that would allow any WebOS app to call those shell scripts or commands.
  8. Daemon's Avatar
    Posts
    796 Posts
    Global Posts
    809 Global Posts
    #28  
    Quote Originally Posted by DrewPre View Post
    Daemon, I am not trying to pick a fight here, but frankly I didn't need your input on whether Palm will allow an App in the App Catalog if said App requires a service.
    Funny, because I thought that's what you asked for here

    Quote Originally Posted by DrewPre View Post
    >
    So I guess the question that is lingering in my mind, which was the motivation for me pursuing this alternative route, is... If a webOS App requires a service and that service meets the criteria you specified above [java or C service that accesses the data directly and exposes specific methods] can it be included in the Palm App Catalog?
    I answered it.. Which is that there are no new apps developed in
    the wild being accepted into the App Catalog that utilize homegrown
    services.

    I have been going on the assumption that there are no App Catalog Apps that require and/or utilize services therefore I've been trying to figure out a way to avoid the use of a service.
    I understand the motivation, but there is simply no other way to do it.

    The reason I jumped in here in the first place is you guys seemed
    to be going to great lengths to attempt to bypass the WebOS security model
    while of course Palm has made absolutely sure that the Mojo SDK
    does not allow that by itself. What you and the OP are trying to do is
    certainly possible with carefully constructed services. It's just not going
    to get your app into the app catalog, as it stands now.

    And even if you write a service that only takes data in you also have to
    be careful of code injection, so that someone can't add some special
    characters and extra commands to a simple data parameter to one of your
    service's API calls, and have that interpreted as multiple commands
    when that data is passed to a shell command or shell script. The service
    has to scrub the data.

    ian
  9. DrewPre's Avatar
    Posts
    818 Posts
    Global Posts
    829 Global Posts
    #29  
    Dood, That's what they call one of them there Rhetorical questions. A Question I knew the answer to, and it was laced with a subtle bit of sarcasm to boot. After all as i said before, I knew that apps don't make it to the app catalog if they require a service. IT IS WHY I AM IN THIS THREAD!!!! I have already developed an App and a Service to go with it. The real question was in the last sentence of that post you quoted...... "....why is it important not to 'fundamentally violate the security model of webOS'?" assuming of course it will never make it to the App Catalog.

    To which you responded that the webos-internals.org guys have a problem with it.

    But whatever, it's all good. I know you were trying to help. That's the point!
    Last edited by DrewPre; 12/08/2009 at 02:00 AM.
  10. #30  
    Quote Originally Posted by DrewPre View Post
    To which you responded that the webos-internals.org guys have a problem with it.
    BTW, I doubt it's just the webos-internals.org guys that would have a problem with a rogue webOS application (maybe masquerading as some innocent game) that you were perhaps social engineered into downloading from a dubious URL via fileCoaster, which takes advantage of a poorly written service which exposes the Linux root command line without any protection at all, and then grabs your internet banking details or other personal identity data from your Pre, and uses it to steal your identity or money

    There are no services in the Preware feeds today that can fall prey to that type of attack, and it is only vigilance which keeps it so.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  11. #31  
    does anyone know the algorithms for the TIMESTAMP conversion using SQLITE3
  12. #32  
    I want to open data usage in the preferences,but it is blank.
    Who can help me solve this problem?
Page 2 of 2 FirstFirst 12

Posting Permissions