| |||||||||||||
World-writable memory on Samsung Android phonesWorld-writable memory on Samsung Android phonesPosted Dec 17, 2012 21:32 UTC (Mon) by oever (subscriber, #987)In reply to: World-writable memory on Samsung Android phones by mikov Parent article: World-writable memory on Samsung Android phones Oh, if only people were still deriving mathematical proofs about their software! Today's release of HTML5 is, frankly, embarrassing. "HTML syntax" is still allowed and even has quite different semantics just because even minor syntax errors will prevent a document labeled as XML from being rendered fully. There surely are good programmers still, but the noise level has increased as has the need to keep pushing your code if you want it to be used. The general acceptance of sloppy coding (aka duck typing) and tendency to blame the browser, no the coder, has led to a situation where coding is actually harder for everyone. Nevertheles, when it comes to Android security, you have to concur that more thought was put into security on Android than on (GNU/)Linux. On Android each application runs as a separate user. On Linux, this is not the case. In fact: every application can read all user files and dial home as much as it likes. Tools like fakechroot or sydbox may help here.
(Log in to post comments)
World-writable memory on Samsung Android phones Posted Dec 18, 2012 11:33 UTC (Tue) by khim (subscriber, #9252) [Link] The general acceptance of sloppy coding (aka duck typing) and tendency to blame the browser, no the coder, has led to a situation where coding is actually harder for everyone. Oh yeah. One simple example: Try to guess what this code will print and why. Who's life became easier when language like this is pushed as a strict requirement?
World-writable memory on Samsung Android phones Posted Dec 18, 2012 20:26 UTC (Tue) by apoelstra (subscriber, #75205) [Link]
That's a shocking example. I had a few ideas about what the output would be, but was pretty sure it would be "H1 e1 l1 l1 o1 ", since I recall that in Javascript, adding a number to a string would convert the number into a string containing the decimal expansion of the number, then append it to the string. (And when you split up a string, you get smaller strings, not characters or some different type.)
Alternately, it might have added one to the characters 'H', 'e', 'l', 'l' and 'o' to get 'I', 'f', 'k', 'k', 'p', but I'm pretty sure Javascript has no character type, let alone one that would act in such a C-ish way. So I didn't expect this outcome at all, though I would in some other languages.
But maybe it would interpret "Hello" as a collection of one string, and output "Hello1". Or it would try to convert "Hello" to something it could iterate over and output "[List]1" or some abomination. Or maybe the body of the loop would never run. Or maybe it would just give an error.
It did not occur to me, though maybe it should have, that i might run through the integers 0, 1, 2, 3 then 4, since "Hello" is a thing containing 5 elements and 'for' will only give you integers. So the output would be "1 2 3 4 5". Maybe this was an accidental behavior in some ancient Netscape and it wound up being baked into the language.
Nope. The actual output is "01 11 21 31 41 51 ". Go figure.
World-writable memory on Samsung Android phones Posted Dec 20, 2012 18:48 UTC (Thu) by sorpigal (subscriber, #36106) [Link] You left out "why" test is an object of type string, and for a string object you can access characters by indexing into it in a looks-like-C kind of way: document.write(test[0]); // H JS for .. in syntax iterates over *keys of an object* From this you can tell that when I say
test = {one: "hello", two: "world"};
for (i in test) alert(i);
expected this will "one" and "two"
test['two'];
And this will be "World" The array object is no different, it just has keys that happen to be sequential numbers
test = ['one', 'two'];
for (i in test) alert(i); // 0, 1
alert(test[1]); // two
In order for the string object to look like a C string and let you index characters it must, obviously from the above, appear to store each character at a numeric key corresponding to its index in the string. The only strange part is why i+1 does string concatenation. I would think that the key would be numeric, but I suppose that there's some reason it isn't. If you need it to be you can use unary +
test = "Hello";
for (i in test) alert(+i+1); // 1, 2, 3, 4, 5 as expected
World-writable memory on Samsung Android phones Posted Dec 21, 2012 2:57 UTC (Fri) by idupree (subscriber, #71169) [Link]
Keys in JavaScript objects are strings. Javascript arrays (and strings) are Javascript objects. Therefore, keys of Javascript arrays are strings (they are string representations of numbers, to be precise, or of non-numbers if you explicitly add non-number keys to an array object).
Yes, it really is that absurd. And no, it doesn't necessarily impact performance, because modern Javascript engines are often smart enough to undo this oddity without changing the language semantics.
World-writable memory on Samsung Android phones Posted Dec 21, 2012 15:00 UTC (Fri) by sorpigal (subscriber, #36106) [Link] it doesn't necessarily impact performance, because modern Javascript engines are often smart enough to undo this oddity without changing the language semantics "Often" is not always; crazy isn't that far behind us. I wonder, now, about the performance of code I've written where complex objects and functions have been used as keys. I imagined I was storing pointers, but if the key is really the stringification of the object... that can't be good. I suppose it sort-of makes sense that somebody decided storing a numeric key as a string was less scary than storing it as a float, but the madness has to stop some time.
World-writable memory on Samsung Android phones Posted Dec 21, 2012 3:06 UTC (Fri) by apoelstra (subscriber, #75205) [Link]
Thanks for explaining, sorpigal and idupree!
I was just telling what I observed - I really didn't have any idea what might have been going on behind it.
World-writable memory on Samsung Android phones Posted Dec 18, 2012 13:07 UTC (Tue) by clump (subscriber, #27801) [Link] Nevertheles, when it comes to Android security, you have to concur that more thought was put into security on Android than on (GNU/)Linux. On Android each application runs as a separate user. On Linux, this is not the case. In fact: every application can read all user files and dial home as much as it likes.Except that of course you know Android is Linux. You're also neglecting to mention MAC/SELinux which allows very fine grained containment of more than just applications. I you want a secure Linux distribution you can have it. Whether many distributions care to take advantage of SELinux, capabilities, sandboxing, etc, is a different story. The abysmal security of Android's typical "Play" store application should give anyone pause.
World-writable memory on Samsung Android phones Posted Dec 18, 2012 15:57 UTC (Tue) by khim (subscriber, #9252) [Link] The abysmal security of Android's typical "Play" store application should give anyone pause. What "abysmal security" are you talking about? Compared to the alternatives it's nirvana. Yes, some trojans are out there and there are a lot of articles which discuss this problem, but most regular users only hear about problems from such articles. Windows, MacOS - these are significantly worse and even Linux has pitiful track record once you go beyond the repos. The only alternatives which are kind-of-better are iOS and Kindle - and somehow I don't think LWN subscriber considers iOS and Kindle a good things to promote.
|
|||||||||||||