While we know that we should be able to install apps directly on the Pre eventually, some enterprising folks are looking to do it sooner. Up to now, installing "homebrew" apps seemed to require "rooting" your Pre - i.e. hacking into it a bit. Well, for the past few days, Xorg and Simplyflipflops of our PreCentral forums have been working at figuring out possible ways to get non-App Catalog programs to install and run on the Palm Pre. Of course such things will certainly be explained when the SDK comes out, but they're impatient and we love that.
Clicking links to .ipk files from the browser didn't seem to work unfortunately, but then earlier today Simplyflipflops discovered tapping those links from within emails did work. People with non-rooted Pre smartphones were able to email this link and on opening it, install the app to their device!
There's still a few more things that need to be figured out before we see homebrewed html/css/js apps installed on non-rooted Pre smartphones. There's fine details, like getting the .ipk files signed, and the fact that the homebrewed apps still need to be made, but this is certainly a big step forward. Things just keeping get more and more interesting.
Update: Shaya Potter, xorg, and simplyflipflops have reported success installing an app by emailing it to themselves without having to root their device -- stay tuned for full instructions!
Comments
has anyone tried opening that link up on their pre??
This is raising some security questions in my head. If it's that easy to install an application from an email, we need to be extra careful with what we receive. PLUS I'm hopeful that the hacking community will have a standard trusted repository.
I totally agree with you, and hope Palm comes up with a way to close that hole within the next few days (not weeks).
This "hole" gives new meaning to the term "do not open email attachments!"
Even though I am anxious to start developing for the Pre, I am going to stick with web apps and wait for the official SDK from Palm.
Dan
I'm sure they'll close this asap. Palm is pretty cool to let pre owners root the phone and otherwise hack it. But I'm sure they don't want unwary users getting hurt by bad guys.
Does the pre not display the extension of attachments?
Jason, with the risk of becoming 'that guy', there is a typo in the first line: "enventally" is missing the 'u'. (this post can be deleted if preferred).
I just clicked the link on my pre and it just keeps opening new cards I flicked one and they stopped. But watch out.
I was using mobile version of the site if it matters link format wise
lol... @ editing comments
Oh we luv hackers don't we...
I did like windzilla, multiple pages opening to no-where. Then, from my PC, I downloaded and emailed the file to my gmail account. On the pre I opened it.. but I don't think anything happened...? Thought I'd see a new app (?), but nothing there.
What is it sposta do?
The fact that an Email link would install an ipk is probably a bug in the eyes of Palm. No doubt a later update to WebOS (Palm Linux) will close that "hole".
From a security standpoint, it might best be closed. I would prefer to install (non-store) apps by simply copying them to the device via USB-Storage, THEN clicking them to install them. Hey- it seems that is exactly what I used to do under PalmOS.... Hmm....
Indeed, Installing via email sounds like very poor security. Likely the devs wanted people to be able to open documents and spreadsheets and such, but forgot to lock out binaries from running. I suspect they will rush out an os update to fix that, which they should.
Yeah, I don't see this one as good news at all. I hope Palm closes that hole. I'd love for Palm to give people the option to "trust" other apps with PIM data the way they allows you to grant access to location data. But with a bug like this, I fully understand the desire to limit that option. It would be trivial to create an email-based virus if PIM data were to be shared while this bug exists.
As it stands, I could write an app that runs in the background and sends me your location data, drains your batter and really degrade the performance of your pre and send it out as a spam email. The recipients that have a pre and have turned one full grant of location data access would be hit the hardest.
Yes, you can simply delete the app since right now you can't install "hidden" apps, but once the app catalog goes live and we have dozens of apps on our devices, a new install may go unnoticed for long enough to cause "damage".
Not cool.
That's good to know. Thanks.
we've figured out how to self sign packages.
installs in rooted and non rooted pres.
In that case, I take my previous comment back. This needs to be shut down.
I really hope Palm nips this one in the bud soon. This should be treated as a security vulnerability, not an opportunity for installing apps.
The last thing we need is another platform where cluesless e-mail users cause viruses to spread. Sheesh...Pre botnet anyone?
I really hope Palm nips this one in the bud soon. The last thing we need is another platform where cluesless e-mail users cause viruses to spread. Sheesh...Pre botnet anyone?
I really hope Palm nips this one in the bud soon. The last thing we need is another platform where cluesless e-mail users cause viruses to spread. Sheesh...Pre botnet anyone?
wow no optimism?? this a huge break through, and though i agree that it might pose a security threat until we have the SDK this is the next best thing!! can you imagine the possibilities of apps that can be created and installed??? like was stated in an earlier comment all we need is a reliable and trusted repository!!!!
As a guy who does security research, I agree with the sentiment that the whole I and the others exploited here is way too big to remain open.
With that said, for our purposes, Palm can close it, and we wont care.
Why? because of the way the device works. Upgrades are just new ipk packages.
So, if palm closes it, all we have to do to "jailbreak" the device is run webos doctor, get 1.0.0 put back on, run our jailbreak to get the packages we want installed, and then let palm's updater run to patch the hole.
Now, why were we able to accomplish this? It seems Palm has the setup for a PKI infrastructure, each signed package comes with 3 files
pubkey.pem - the public key of a private/public key pair presumably signed by palm and presumambly individual per developer
signature.sha1 - this is signed sha1 hash of the concatenated binary that makes up a standard ipk, namely control.tar.gz + "data.tar.gz" + "debian-binary". It's signed with the private key of the public private key pair.
cert.pem - this is probably part of the PKI (Public Key Infrastructure) that enables one to verify if the public key included should be trusted (i.e. if the public key is signed by Palm, this cert would enable us to verify the signature chain all the way up).
now, cert.pem is never used to verify anything. the only element used is pubkey.pem, as the package provides pubkey.pem, all I had to do was generate my own private/public key pair. The hard part was figuring out how what data was being hashed and signed.
palm can fix this whole in 2 ways
1) prevent the hole in the first place via the link in email
2) enforce only signed public keys.
but as I said before, for our purposes, this doesn't matter.
Also, for those who are so shocked by this. How do you think the iphone gets jailbroken? they exploit a security hole.
Just to clarify my stance (not that anyone cares...lol).
I don't mind this hack (or any of the hacks) as long as it's a choice. So if you have to root your pre to apply the hack, I'm all for it. What I mind is the ability to do these types of things without rooting your pre. The average Joe will probably not root his pre. It would be nice if this person can be assured a good level of protection from a hacker with bad intensions.
When you root your pre (or jailbreak your iphone) you usually do so with knowledge that not everything will be a smooth process and you accept some risk. If Jane Doe purchases a pre and does not know, nor care about rooting it, she should remain protected.
So it's only the part that says "non-rooted pre" that bothers me. Other than that concern, you guys are amazing, and I'm glad for the "choices" you guys are providing beyond those of Palm.
Is it that hard to not open random emails?
Considering that email based viruses are still a major problem, I say yes. Unfortunately, it is pretty difficult for the general public to not open random emails.
you have to remember that not all people that want to mod there pre or want to add homebrew apps possess the knowledge or background to root there pre!!! what about the average joe that DOES NOT know how to root, but would still like the homebrew apps such as flashlight?? just set up a sexure repository and all should be good
Someone going to a repo to sideload an app is not the issue (that still represents a choice on the part of the user). Receiving a phishing-type email with a faux link that can install something on your device without your knowledge is.
I have no problems to be able to install apps via e-mail, even just via e-mail link. It just needs to be an obvious process 'You are about to install... Yes / No?'
That's all. E-mailing apps to me is one of the ways I currently use. A very convenient one imo. You can, by the way, have all your mails with the apps in attachmens in a separate folder on your mailserver. No worries anymore about hard resetting, and / or having the wrong memory card with you.
Windows mobile uses can click on links and email attachments with .msi files to do ota app installs. So having this functionality isn't always a bad thing. However enterprises will want to be able to limit or restrict what apps run on supported devices. To other users, these installs should be VERY obvious so the user is aware and can decline the option to install if they wish to do so.
Want to leave a comment? Register for free!
In an effort to reduce comment spam, you need to log in to comment. Registration is fast, free, and easy and gives you access to comment, discuss the Palm Pre on the largest Pre forums on the 'net, enter contests, and much more. Join now!