-There are obvious problems for the apps installed on the SD card that
are currently running when the SD card is removed: in such a
situation, they can't possibly rely on being able to save any state to
disk: the code that would be used to save data might simply not be in
RAM (and even if the code is there, the logical location to save the
data would be the SD card itself, which would be gone).
-Several aspects of the system itself open application files (the
installer, the system server, just to name a few), and therefore have
to be prepared for the fact that those files might disappear at any
time (and that the file descriptors would have to be closed within
seconds or the entire phone would crash).
-There are a lot of open issues around app management in general:
*if the user installs an app on the SD card, pulls the card, installs
that same app on the internal flash, and puts the SD card back in, the
situation is a bit messy.
*if an app queries the list of installed apps (to know what file types
are handled), a decision has to be made whether it can see the apps
that were installed on the SD card. The result might depend on whether
the querying app is on removable storage itself. It might also depend
on whether the SD card is inserted.
* also, things become more interesting if you start to consider the
possibility that there might be multiple removable slots (I have a PDA
like that), or if you think of how it impacts legacy apps.
-And that's just a quick list of a few ideas going through my head,
which is sure to be incomplete.
JBQ
It's obviously one of the pain points with the G1, it's likely to be a
pain point with other devices, and it is important that Android
eventually provide some platform-level solution for this situation. It
has to be balanced against all the other high-priority tasks that the
Android engineering community is working on.
You can help, though, even without writing code, by taking part in the
discussions about the various design decisions. The more brains we
have thinking about the design, the faster it'll be possible to start
an implementation, and the fewer surprises we'll have during and after
the implementation.
JBQ
I think the one over-arching point you are missing here is that Android isn't intended to be a one-phone OS. The future limitations of the current Android feature-set really sit in the hands of the hardware manufacturer. It would be a mistake to assume that just because your experience with the G1 is dissatisfactory, your experience with a phone running Android is always going to be that way moving forward. If an Android device were released tomorrow that had 8 gigs of internal storage, this would be a non-issue on said device. That is why I doubt that this missing feature is the marketing disaster you claim it is.
On Nov 24, 9:42 am, Christopher Joel <Aar...@gmail.com> wrote: > Even if you are a non-technical us...
The fact that Google engineers have commented repeatedly on multiple
threads related to this matter might suggest that Google is very much
aware of the situation.
I'm not quite sure what makes you believe that there's any kind of
delay going on.
JBQ
Those higher priority items that Dianne is talking about are bugfixes
for features that were put on the roadmap a long long time ago and
have been implemented already. Those higher priority items are not new
features that are competing with "apps on SD" for engineering
resources. No feature implemented from this point on can ship before
those bugs are fixed. At this point, the roadmap that Dianne mentioned
is essentially the roadmap for the bugfixes in question, which means
that "apps on SD" could become the first new feature to be added on
that roadmap (this is not a commitment, and the choice isn't mine to
make).
JBQ
In addition to considering what JBQ pointed out, you should consider that, while your concerns about app space are legitimate and as a G1 owner I share them, developers won't flock to Android and release truly purchase-worthy apps if they think that the distribution system is too insecure or poorly thought out to be worth their time.
Furthermore, is it set in stone that the only way to re-aquire a purchased app you have deleted is to re-purchase it? I know that Apple's app store remembers your purchases, as they are tied to your Apple account, and let's you re-download previously- purchased apps for free (something I wish they had done with their music years ago). Surely a system could be arranged where app store purchases are tied to a user's Google account, thereby enabling unlimited, free post-purchase downloads?
- c
On Nov 24, 10:39 am, Jean-Baptiste Queru <j...@google.com> wrote: > The fact that something is urge...
> On Mon, Nov 24, 2008 at 7:03 AM, al74 <aviadle...@gmail.com> wrote: > > > No not realy. I am a pre...
Having been involved in applications security design in Unix (later
Linux) environments for several decades, I am unconvinced that there
is a necessary relationship in the Android security model that should
depend on whether or not a particular object is on internal or
mountable media. We've been dealing with setuid (for example)
applications on removable media of all sorts since Unix Version 6
(and earlier). And as others have noted, other mobile platforms
have achieved reasonable security levels while not restricting
applications to internal memory storage.
Creating a system to verify the integrity of applications and their
permissions, independent of stored location, even if tied to phone
IMEI, should not be a major effort and should be a high priority,
unless having G1 buyers feel that they were sucked into something
of a bait-and-switch situation is not a concern.
--Lauren--
Lauren Weinstein
lau...@vortex.com or lau...@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
- - -
"Dianne Hackborn" <hac...@android.com>:
>
> ------=_Part_19772_22164025.1227562254140
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> ------=_Part_19772_22164025.1227562254140
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> This is not about DRM. Applications that are on the SD card in its current form can be the victim of viruses and trojans and other such malware, comple
> tely breaking down the security system. Essentially, by giving an app on the raw SD card permission to do something, you would effectively be giving ev
> eryone permission to do that thing, since they can just go and put their own code in that app and do whatever they want with its permissions.<br>
> <br>A cornerstone of Android is to allow for an open environment in which a user can still feel safe in downloading and trying whatever apps they want withou
> t fear of them taking over their phone or doing things they don't want them to do. We are trying as hard as we can to -not- replicate the desktop e
> nvironment in this area, where historically there is little to no control over applications and you end up with a sea of viruses and virus checkers and all s
> orts of problems as a result. (And note that Microsoft and others are also trying to get out of this world in their current operating systems.)<br>
> <br>Putting applications on the SD card without any security or control over what is going on there would be a huge step backwards.<br><br>It is to everyone&
> #39;s benefit -- users who feel safe in installing applications and developers who get more users of their applications as a result -- that the system mainta
> in firm control what applications are allowed to do.<br>
> <br><div class="gmail_quote">On Mon, Nov 24, 2008 at 1:07 PM, al74 <span dir="ltr"><<a href="mailto:aviad...@gmail.com">aviad...@gmail.com</a>></sp
> an> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
> <br>
> Thanks for your input. Just as a note, one of the reason me and many<br>
> other chose Android was the huge publicity on its openness. As a law<br>
> abiding person who stays aways from DRM'ed solutions like fire due to<br>
> their restrictive nature I will be very disappointed if Google will<br>
> choose to restrict our ability to use software as long as we comply<br>
> with the licensing terms. DRM failed with music. It will fail with<br>
> video and software as well. If I wanted total control and restricted<br>
> content, I would have turned to Apple and the iPhone. I sure hope that<br>
> any solution to this issue will not be delayed due to DRM and content<br>
> restriction issues.<br>
> <div><div></div><div class="Wj3C7c"><br>
> <br>
> On Nov 24, 2:06 pm, Christopher Joel <<a href="mailto:Aar...@gmail.com">Aar...@gmail.com</a>> wrote:<br>
> > It should be different because piracy is a real problem on the PC, and<br>
> > digital distribution needs to provide real answers to that problem -<br>
> > ones that are fair to both developers and consumers - if we want to<br>
> > further its momentum as a rising way to distribute software. Look at<br>
> > the game industry, for instance, where developers are flocking away<br>
> > from the PC in favor of consoles because of how badly piracy is<br>
> > perceived to hurt their sales figures. Consoles offer a (relatively)<br>
> > secure platform for distribution, and that small gain in security is<br>
> > enough to make developers and users alike sacrifice the freedom to<br>
> > choose their platform.<br>
> ><br>
> > I think the take-away here is that you shouldn't worry because it<br>
> > sounds as though everyone agrees with your main concern - the current<br>
> > implementation is not ideal, especially considering the G1's internal<br>
> > storage limitations. However, I think that you need to accept the<br>
> > reality of the situation, which is that Android won't die if this<br>
> > feature doesn't come out in the immediate future, and the Android-<br>
> > developing and -using communities will both be much better off if the<br>
> > solution to this problem, when it does come, is carefully planned out<br>
> > and executed.<br>
> ><br>
> > - c<br>
> ><br>
> > On Nov 24, 10:14 am, al74 <<a href="mailto:aviadle...@gmail.com">aviadle...@gmail.com</a>> wrote:<br>
> ><br>
> ><br>
> ><br>
> > > Applications for BlackBerry, Symbian and Windows Mobile are kept on SD<br>
> > > cards and I never heard of any issues on Dev part. From copyright<br>
> > > protection perspective, why should this be any different than<br>
> > > installing apps on a Desktop PC? As to the possibility to reinstall<br>
> > > apps, that's not going to help if I can't reinstall due to the space<br>
> > > issues. I will have to give up the app because I want to installl<br>
> > > something better but have no room.<br>
> ><br>
> > > On Nov 24, 11:57 am, Chris <<a href="mailto:aar...@gmail.com">aar...@gmail.com</a>> wrote:<br>
> ><br>
> > > > In addition to considering what JBQ pointed out, you should consider that,<br>
> > > > while your concerns about app space are legitimate and as a G1 owner I share<br>
> > > > them, developers won't flock to Android and release truly purchase-worthy<br>
> > > > apps if they think that the distribution system is too insecure or poorly<br>
> > > > thought out to be worth their time.<br>
> ><br>
> > > > Furthermore, is it set in stone that the only way to re-aquire a purchased<br>
> > > > app you have deleted is to re-purchase it? I know that Apple's app store<br>
> > > > remembers your purchases, as they are tied to your Apple account, and let's<br>
> > > > you re-download previously- purchased apps for free (something I wish they<br>
> > > > had done with their music years ago). Surely a system could be arranged<br>
> > > > where app store purchases are tied to a user's Google account, thereby<br>
> </div></div>> > > enabling unlimited, free post-purchase downloads?- Hide quoted text -<br>
> ><br>
> > - Show quoted text -<br>
> </blockquote></div><br><br clear="all"><br>-- <br>Dianne Hackborn<br>Android framework engineer<br><a href="mailto:hac...@android.com">hac...@android.com</
> a><br><br>Note: please don't send private questions to me, as I don't have time to provide private support. All such questions should be posted
> on public forums, where I and others can see and answer them.<br>
> <br>
>
> ------=_Part_19772_22164025.1227562254140--
How long would it take you to write it? Perhaps we can raise the funds
to hire you to create that implementation. Then there is no dependency
on perceptions of priority.
I'm thinking of something along the lines of Gregory Brown's Ruby
Mendicant project from earlier this year:
http://rubymendicant.wikidot.com/proposal
--
Mark Murphy (a Commons Guy)
http://commonsware.com
Android Training on the Ranch! -- Mar 16-20, 2009
http://www.bignerdranch.com/schedule.shtml
--Lauren--
Lauren Weinstein
lau...@vortex.com or lau...@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
- - -
>
I think you may be ignoring some key distinctions / differences here:
* As a necessary part of compatibility, external SD cards use the FAT
filesystem, which has no permissions.
* The Android permissions model doesn't have a way to give
fine-grained access to external storage. A process either has full
access or no access. No middle ground.
In contrast, access to the internal filesystem is fine-grained. An app
gets write access only to a controlled subset of the filesystem, and
its slice can be monitored (e.g. for quota).
The threat that is being prevented by not allowing apps to live on
external storage is this: One app, Mallet, is trusted by the user to
use external storage but not trusted to do anything else. Another app,
Alice, is trusted to do something else (say, access the net). If Alice
is installed directly on external storage, then Mallet could alter
Alice's code to do Mallet's bidding and abuse Alice's permissions,
despite the device owner's desire for Mallet to be confined.
This isn't about an app being able to use permissions in a deceptive
way, and I don't think anyone has claimed otherwise. It is about apps
not being able to subvert other apps.
> And as others have noted, other mobile platforms
> have achieved reasonable security levels while not restricting
> applications to internal memory storage.
I'm not going to say it's not true, but I don't think I read any
well-backed claims in this regard. I think the claims were more at the
level of "[platform x] seems to work well for me" and not "here is how
[platform x] achieves the same level of security while still allowing
applications to be installed on an SD card."
> Creating a system to verify the integrity of applications and their
> permissions, independent of stored location, even if tied to phone
> IMEI, should not be a major effort
In fact, a couple of Android folks already outlined what this would
look like for Android in previous messages to this group. I disagree
with you in that I believe it *would* actually be a major effort. As
per previous discussion, it would impact several layers of the system,
from the filesystem drivers up through the UI.
FWIW, I'd love to see it all happen, myself.
-dan
But the dichotomy of the current situation shouldn't have been
necessary. The Android platform was clearly going to engender a
cornupcopia of applications, and the combination of that with such
limited applications storage space should have been an obvious
situation to avoid. Given that adding more internal memory could
have genuine cost considerations, dealing with the external storage
aspect from day zero would have been a very desirable course.
The workaround that occurs immediately to me (and that I see has
been mentioned earlier) is of course basaically to dump a virtual fs
on the storage card and either sign or encrypt that fs to prevent
tampering. Rather ugly and somewhat non-generalized? True. Some
negative speed and efficiency issues? Yep. But it would still seem
a practical approach to help solve what really is an immediate
problem. Cleaner and more general solutions could come later.
This really is something that needs to be solved now, even if it's
done essentially with a temporary hack for the time being. Once
non-free Android apps start to appear in quantity, it will become
especially difficult to keep this issue caged up effectively.
--Lauren--
Lauren Weinstein
lau...@vortex.com or lau...@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
- Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
- - -
> On Mon, Nov 24, 2008 at 3:12 PM, Lauren Weinstein <lau...@vortex.com> wrote:
JBQ
JBQ
At the risk of ruining your conspiracy theories, that's just not true.
There really were other tasks that were more important than apps on
the SD card that had to be implemented first (e.g. being able to
reliably download apps and other files, being able to install apps at
all, and being able to use the SD card reliably - I'm not joking here,
those got worked on until fairly late in the development process).
We've said it already, I'll repeat it here: a significant amount of
additional work is necessary to allow apps to be installed on the SD
card. We recognize that this the limited amount of internal storage is
causing some pain for some users. There are ways to reduce pressure on
the internal storage that don't require to install apps on the SD card
(and therefore are much easier to implement). We've got some
commitments that have been communicated on the roadmap and that are
competing for resources. We gladly accept high-quality design and code
contributions, and this is the right place for those discussions.
Complaining about things isn't going to achieve much (except getting
people annoyed). Actually working toward a solution will.
Oh, and one last thing: you're right that the shelf life of a device
is about 12 to 18 months. Its useful life is typically 3 to 5 years,
though. With a platform like Android that allows OTA updates, the
latter duration tends to be more relevant than the former, since the
software can be updated at little relative cost even after the devices
have left the factory.
JBQ
On Sun, Dec 7, 2008 at 7:24 AM, al74 <aviad...@gmail.com> wrote:
>
> In terms of the average life of an electronic device such as a cell
> phone, never is about a year, year and a half. In terms of a first
> device like the G1 owned by many early adopters, never is even less
> than that.
>
> If you can implement quickest temporary solutions it will be much
> appreciated, but eventually, the only viable solution is the obvious
> one: you should restrict the storage options to internal memory in a
> device with such a low internal storage capacity. That was a mistake
> in the first place.
>
> On Dec 7, 9:21 am, Jean-Baptiste Queru <j...@google.com> wrote:
>> "never" is a very very long time, and putting apps on the SD card
>> isn't the only way to relieve pressure on the internal storage (I can
>> think of at least two other options that would make a significant
>> difference without going as far as having apps on the SD card).
>>
>> JBQ
>>
Would an option to copy the 'internal memory' filesystem onto the SD
card be considered an acceptable solution by the carriers?
The way I'd envision this is to have the phone format the card, create
an encrypted filesystem, and then copy the internal filesystem onto it.
Now, whenever the phone is booted, the card would be mounted instead of
the normal internal flash. Reboot with the card removed and you'd go
back to the internal flash filesystem.
Immediate problems I can see:
- problems if the card is removed while the phone is running
- no way of copying data back into the phone internal filesystem
- no user-accessible SD card any more; /sdcard would have to be a
directory in the filesystem, and there wouldn't be access to it from
other machines
Benefits:
- easy to implement
- user upgradable
- allows different 'phone personalities' by simply replacing the card
and rebooting (it's actually a pity the whole MegaSIM concept died; that
would be ideal for this)
--
┌─── dg@cowlark.com ───── http://www.cowlark.com ─────
│
│ ⍎'⎕',∊N⍴⊂S←'←⎕←(3=T)⋎M⋏2=T←⊃+/(V⌽"⊂M),(V⊝"M),(V,⌽V)⌽"(V,V←1⎺1)⊝"⊂M)'
│ --- Conway's Game Of Life, in one line of APL
In a nutshell:
-yes, an encrypted filesystem on the SD card is one of the components.
It works better if the encrypted filesystem lives in a disk image on a
FAT SD card (rather that the opposite) for interoperability reasons.
-from that point the challenges are indeed related to what happens
when the user pulls the SD card (i.e. both the actual action of
removing the card, and the fact that the card isn't there).
JBQ
I think that the issue has been acknowledged already, multiple times,
as recently as 2 hours ago.
At this point all I can promise is that this issue will get fixed when
it gets high enough on someone's priority list for them to spend the
time designing a solution and getting it discussed, writing the code,
getting it verified, approved, and submitted.
Apps on SD card isn't an end in itself. It's only a means to an end:
the real goal is to not run out of storage space on the SD card. You
mentioned that you were having issues because you have 17MB of email
data on your internal storage. Being able to install apps on the SD
card isn't going to help with this, the real solution is to either
store that mail somewhere else, or to have the email app discard it
when space is needed.
In a way, every issue will be fixed "as soon as possible". There are
just so many issues that it's not possible to fix them all right now,
they've got to be prioritized, and the top of the priority list is
what's been communicated on the roadmap. Making hard commitments
beyond that would reduce the ability to adapt to changing conditions
in a short time, so you need to expect the future to remain vague
beyond a couple of quarters.
JBQ
I need support for xvid, ogg theora video codec idroidn the media players... I think Android should format the sd card upon insertion.. with (format card? Y / n) dialog. Like the Sony PSP.
On Dec 7, 2008 3:19 PM, "al74" <aviad...@gmail.com> wrote:
By the way, I just realized, issues or no issues, one thing that I
could never do when I used WM, Blackberry or Symbian devices is access
and discuss issues with the developers of the operating system. This
just shows how remarkable this OS is. Thank you all team members of
this platform. Whining or not, I am very much grateful for the
opportunity to interact with you.
On Dec 7, 1:37 pm, al74 <aviadle...@gmail.com> wrote: > Thanks. I appreciate your honesty and I und...
How's the App on SD feature coming along? It will indeed be needed on
the brand new Samsung Spica released last week.
On Dec 16, 9:43 am, Disconnect <dc.disconn...@gmail.com> wrote:
> Dunno, have you submitted any patches for it?
> (Hint: the message you replied to was almost exactly a year old. There was a
> much more recent discussion, but - as often happens - it got 75% of the way
> to the first bare requirements list and everyone kinda wandered away.)
>
> If its required for a vendor device, maybe you should ask the vendor about
> it.. (Alternately, see if you can talk google into releasing vaguely up to
> date sources - eg the 2.1 prereleases - and I'm sure any number of people,
> myself included, will be happy to take a look and see what they've done.)
>