A post on Promotion Driven Development yesterday touched on something I really dislike; Rigid Career Levelling. "Level Worthy" is a phrase I feel a lot of managers misuse as a means of pressuring engineers to take on projects. https://www.alsutton.blog/post/what-is-level-worthy/
A few folk pinged me overnight my time (UK) to say "adb backup" addresses only one exfil vector. That's true, but it's a vector I have the most context on. If I wanted to make all #Android exfil harder my temptation would be to require a factory reset when enabling developer mode.
This would follow the model of unlocking the bootloader; If you enable something which reduces the security of the device you have to wipe the users data, but would be a *huge* behaviour change.
@larma That changes in Android 12; https://developer.android.com/about/versions/12/behavior-changes-12#adb-backup-restrictions
Something pointed out to me on T*itter; Apps targeting Android 12, which aren’t declared as debuggable in their manifest, will not have their app data included in an ‘adb backup’ backup.
@sheogorath Doing all of the things you mention would leave user visible traces on the device. There is no easily accessible sign adb backup has been executed.
@sheogorath I don’t think that the unauthorised user should be able to choose what destination is trusted, and, on almost all production devices sold, they wouldn’t be able to without adb backup being available.
@larma The target device for adb backup can be something the user is unaware of.
Can you tell me why you believe adb backup files and the files stored on Googles servers are the same? Where has this information been publicly stated?
@sheogorath With the addition of “to a trusted place”, yes, but the trusted place guarantee is missing in this context.
@sheogorath If a backup solution allows for the quick and easy exfiltration of a users data then yes, it shares the same problem.
@larma Google cloud backup restoration needs a target device to restore to, and you can’t quickly perform an operation which dumps all the data to a PC or other unprotected area without modifying the OS or kernel of the device.
I've submitted a patch to the #AOSP to take the next step in what was probably, externally, my least popular contribution to #Android while I was at Google. Here's the reason I think it's time to go beyond deprecating `adb backup` and remove it entirely. https://www.alsutton.blog/post/adb-backup-removal/
Selling things like Single Sign On for big identity providers (e.g. Google) as an additional extra comes across, to me, as pretty sleazy given the maintenance overhead should be lower than maintaining your own authentication solution. https://www.atlassian.com/software/access
The official #Mastodon app for iOS is now on the App Store! Get it here:
@MarcatoMarc Running it on a device would require the same binary support package as a phone targeted build, so you’d need to create a car target for your device with the same BSP the lineage build used.
The original server operated by the Mastodon gGmbH non-profit