Results 1 to 4 of 4
  1.    #1  
    Hello. I research Open WebOS's security (don't worry, just for university). I was testing its source code (built in Ubuntu) with flawfinder and found one interesting file - mojomail/imap/inc/commands/AuthYahooCommand.cpp. In this file, one of comments says "// HACK: Hard-code partner ID and fetch of NDUID". As I understand - when we check our e-mail, our account's data saves somewhere without encryption, but I can't find it. So, can you tell me anything about this problem? Has it fixed already?
  2. #2  
    Quote Originally Posted by ApSept View Post
    Hello. I research Open WebOS's security (don't worry, just for university). I was testing its source code (built in Ubuntu) with flawfinder and found one interesting file - mojomail/imap/inc/commands/AuthYahooCommand.cpp. In this file, one of comments says "// HACK: Hard-code partner ID and fetch of NDUID". As I understand - when we check our e-mail, our account's data saves somewhere without encryption, but I can't find it. So, can you tell me anything about this problem? Has it fixed already?
    A long time ago, Yahoo didn't allow standard IMAP over mobile networks -- you could use IMAP from a desktop, but it would disallow connections if your IP address was in an address range used by Sprint, AT&T, etc. They required a custom token-based login system and a custom UDP-based push mechanism. Also, they charged partners a licensing fee. That's what the partner ID is referring to.

    So using this outdated, Yahoo-specific mechanism, the password is never stored on the device, only a token. If you set up a Yahoo account manually, or on OpenWebOS where the proprietary Yahoo service doesn't exist, then it should just use a password. Both passwords and tokens are stored using keymanager, which encrypts it and saves it to a database at /var/palm/data/keys.db

    You should also take a look at http://www.pabloendres.com/wp-conten...urity-v1.1.pdf
  3. #3  
    There are differences between legacy webOS and open webOS. User credentials for the accounts are stored in an encrypted storage on legacy devices (which is probably not totally fail proof, but quite a nice thing to have). On open webos this seems to be gone.
    See here for example: https://github.com/openwebos/app-ser...ccounts/models
    There are two files, credentials-model.jsjsjs $and$ $credentials$-$model$-$keymanager$.$js$. $The$ $latter$ $one$ $is$ $not$ $used$ $on$ $openwebos$ $but$ $would$ $talk$ $to$ $keymanager$. $The$ $first$ $one$ $just$ $stores$ $the$ $credentials$ $in$ $the$ $system$ $db$ ($db8$) $unencrypted$.

    Not sure what you really want to look into... for LuneOS (an openwebos fork that tries to bring it to phones again) we re-implemented the keymanager ( https://github.com/webOS-ports/keymanager ) and activated it for the account service. If you find insecurities with that, it would be great if you gave us some hints how to better do stuff... (ok.. the biggest insecurity probably is the way the key is stored... )
  4. #4  
    Quote Originally Posted by ApSept View Post
    Hello. I research Open WebOS's security (don't worry, just for university). I was testing its source code (built in Ubuntu) with flawfinder and found one interesting file - mojomail/imap/inc/commands/AuthYahooCommand.cpp. In this file, one of comments says "// HACK: Hard-code partner ID and fetch of NDUID". As I understand - when we check our e-mail, our account's data saves somewhere without encryption, but I can't find it. So, can you tell me anything about this problem? Has it fixed already?
    It is indeed great that someone is looking at webOS' security (and hopefully LuneOS)

    Are you interested in joining the team?

    WebOS-Ports

Similar Threads

  1. Security
    By sdg1965 in forum Palm Pre and Pre Plus
    Replies: 5
    Last Post: 09/16/2009, 04:33 PM
  2. Security and the Pre
    By davidra in forum Palm Pre and Pre Plus
    Replies: 22
    Last Post: 05/05/2009, 02:23 PM
  3. security app
    By rcyphermd in forum Palm Windows Mobile Devices & Apps
    Replies: 3
    Last Post: 10/27/2006, 02:10 PM
  4. What security app do you use?
    By bitmage in forum Palm OS Devices & Apps
    Replies: 20
    Last Post: 08/03/2006, 01:37 PM
  5. Security App
    By emulator23 in forum Palm OS Devices & Apps
    Replies: 5
    Last Post: 02/16/2005, 09:29 PM

Posting Permissions