It was a wild, but sadly all-too-short ride. With the just-released webOS 1.04 update, Palm has closed the loophole that allowed us to install Homebrew applications directly via an emailed link.
Sideloading via rooting / developer mode (enabled by the Konami Code) is likely to still be fine and homebrew apps that have been installed before the update are also still present.
Honestly, though, we get it. It was a big security hole and it needed patching. Hopefully a Palm-aproved method will come to us before the Palm Pre SDK release later this summer, in the meantime we're pining for a way to keep this Homebrew train a-rollin.
We'd recommend that homebrew lovers just avoid the update to 1.04, but from what we hear that will only last a week or so, as Palm intends on making webOS updates mandatory.
Comments
Yikes, seems the link to Email Attachment affects pics/wallpapers also. I just tested sending a wallpaper to my phone via email. I got the message, but no attachment. The link included activated the flippy floppy cards opening all over the place condition.
LMAO Palm is on it with this phone i see... Since they are watching lets keep telling them what we want!
DAMN DAMN DAMN!! I updated right before trying to install the homebrew apps for translation and notifications! Thats some b*llshi* GRRRRR!!!!!!
so where can we get that facebook app you keep showing in the pics?
ah, i thought maybe some people had it. the web version isn't what i want. still waiting for the native app.
I can tell you what I want a way to get new apps on the phone. Palm is digging their own grave here. There are reports that app updates have been sent to them a week ago that haven't shown up in the app store, which makes me think palm is what's slowing the developers down and why we don't have more apps in the store. Then they go and kill the only way we have to get new apps onto the phone without rooting it. They could have easily just added a dialog to the link. I don't think anyone is going to be happy if we have to wait until the fall to get any more new apps.
Let's not even mention the fact that there are hundreds of small fixes/features they could have thrown in with this update to make people feel a little better about it, but no all they want to do is rain on the parade.
Well, I'm sure you wouldn't like it if you updated some app, only to find out it opened up a huge security hole that allowed someone to root your phone and grab your email passwords, would you?
That's what slows them down. They've got to validate those updates first if they're going to make them so easy to push out to people so they can prevent trojans from appearing. Ultimately, I bet they would have been fine with the email-side loading trick if it hadn't been a method to stick some app on a device without having physical access to said device and doing some kind of acceptance thing. It'd be nice if someone there coded out a simple java app that could load an app over the usb connection. After all, there's an app that imports contacts from old Palm Desktop stuff...
Actually, in regards to sideloading via usb connection, it is already very possible, and easy/simple to do. All you really need is the SDK. With that, and using Konami Code to enable Developer Mode on your Pre, it's very simple to install those same files (packages, .ipk) to your own Pre. Check the forums, very cool stuff.
The thing is it's an actual security issue. Palm can't arbitrarily ignore the fact that this method of installation can cause the WebOS to do things you don't want it to, like format your phone, send unwanted messages, fish your passwords.
It's a double edge sword and as many people are going to have to realize that it's the best for everyone, especially those people who are unaware about homebrew applications and they are in a higher risk then we are.
Palm did say they are welcoming the homebrew applications, and I'm sure someone will make a inataller app that will function like the App Center, but for Homebrew Apps.
I for one am happy that they take security issues to heart and patch them up as soon as possible, unlike other companies that wait till the next big x.0 release of their OS to patch things up.
We need an "install app" app asap before we are all forced onto 1.04. Something that can check an ftp server or a directory on the device.
No it doesn't. Just needs a Pre in dev mode, with the right palm_install script running to install apps via USB. That isn't really "rooting".
You can avoid installing 1.04 by charging your phone in media sync mode via usb. After 2hrs your phone is charged and it gives you a message asking if you want to install the update. I've done it 3 times now and still use 1.03
Palm better start sending out apps. I'm getting pretty upset. I hope they know that we can still return the thing! (though I probably wont :P)
I wouldn't get worried... YET. I am on the fence with this update, yes I welcome the security fix, because honestly, I may be one of the few people that actually care about security and attempt to break hardware. The email loophole is a fantastic way to create a spyware spam market aimed at this device that ties into the already prevalent spam issues of email today.
I think they shut it down all together so that they can re-evaluate how to provide that same ease of functionality, but without putting the non-savy users at risk.
... if we don't get that within the next 10 days via some official installer.app that provides user feedback, etc. then yes, Palm will be slowly dropping the ball...especially in regards to us homebrewers who are the ones keeping the fuel going.
Palm can't win. Had someone coded a nice malicious application that wiped all your data, everyone would be cussing them too.
This was a big, glaring security hole. That is the bottom line.
You want to install homebrew apps?
- Put phone in Developer Mode
- Install Java JRE 6.0 if you don't have it
- Install Safari 4 if you don't have
- Install SDK
- Use: palm_install -d usb my_big_file_name.ipk
That is it.
"That is it"
?? Are you kidding??
1) "Put phone in Developer Mode": Just entering the Konami code, alone, is extremely tedious and annoying.
2) "Install Safari 4": What if you are using Linux or BSD on your computers?
3) "Install SDK": What if you don't have access to the SDK? What if you are using MacOS, Linux, or BSD?
I agree that the Email method was a huge security problem (but only because there is no confirm process)... But I can install apps on my Treo my downloading them on ANY platform, pushing the .prc file to the Treo using apps on ANY platform, and boom- the app is installed. I don't need a hack. I don't need "permission". I don't need to wait for it to appear in some app store. I can even download and install a PalmOS program right from the browser!
Yes, there should be some type of "confirm" process. And probably a warning about installing non-store apps. And maybe even a more stern second warning if it isn't signed. But I should have the option to install any application I want on MY phone, using any platform, without resorting to shady tricks, rooting, or hacks!
Well first off, I have to agree with OP in that "that is it". It's not too much to ask for considering it is installing homemade programs that haven't gone through Palm.
Second, you could have Chrome instead of Safari 4 & it still work fine.
And third, unless I'm mistaken, Palm has said that there will be a way to install these types of homemade apps. They're obviously still working on a bunch of stuff, and I agree with you that you shouldn't have to "hack" and root (even though you don't even need) to install these applications, but you won't have to. Eventually there will be a simple way, probably via USB Mode or something like that. But the important thing is that in the meantime, people who do have the SDK & the know-how are still able to work on improving these applications and developing more, so that when there is a public method, there will be more great stuff for you!
Obviously you've all already seen this but I wanted to let everyone here know that we have released a patch today that fixes the vulnerability in question here.
I also wanted to take this chance to point people to http://www.palm.com/us/company/security . We have contact information there for reporting security-related issues and appreciate it when people reach out to us. We try to stay on top of the forums and sites, but proactive notification helps make webOS a better and safer platform. Thanks to xorg, simplyflipsflops, and spotter for their assistance -- we always appreciate the contributions of our developer community.
Brian Hernacki
Chief Security Architect, Palm Inc.
brian.hernacki@palm.com
Brian,
Thanks not only for taking care of our favorite new device, but for coming here to participate in this community. It's great how Palm is supporting both the developer and the "explorer" communities, in sharp contrast to that other multitouch smartphone maker. {ProfJonathan}
If you need to go back to 1.0.3 the webosdoctor is still 1.0.3 and has not been updated yet.
Thank you Palm!
I love the fact that you guys are on top of fixing security issues!
I'd much rather have a secure device than one with loop holes that can be exploited. :)
I Would like to comment that the bug i found had nothing to do with the email loop hole. If Palm wants to give out details it will be up to them, but again closing the email loop hole was not from me.
I was thinking about installing the translator and sound notification app before I am forced to update to 1.04. Have you guys had any adverse reactions on your phone after downloading these trusted apps? Speed, battery life or any other changes? I realize that I don't have to root my phone, but I am still apprehensive to mess it up. Are they worth it to download?
Thanks.
So what will be the official method to sideload apps, then? It sounds like this often-touted ability isn't really going to work. Shouldn't you be able to install something via a user prompt?
I have a feeling that Palm's putting all their might into this phone, Like holy crap, Palm, PALM! has more then two updates within a month :D , But i think this also means their trying hard to keep everything running smoothly, and for those of you who understand Poly's Gran Turismo series, they'll take their time to do it right.
For all we know Palm might be rehashing their app store setup, and it wouldn't surprise me if they're testing the waters before they do anything, you knwo dipping your toe int he water instead of diving right in before oyu know how to swim...
I for one, welcome the security updates.
This thing is a business phone, not a toy to be mucked around with.
on a much lighter note: The Sudoku app is updated in the App Catalogue. It is much much better!
Thanks for letting us know about the updated Sudoku app. It is much better now. I wish there was a way to know when an app has an update. Sudoku was listed as released 'Today'. In time I hope we have a better method.
Pre rocks!
Thanks Palm for the security update.
PreCentralers while I get we as humans, particularly Americans don't much like it when we perceive something has been "taken" from us, consider whether we actually lost anything in the interim?? Its not like there was a MASSIVE Catalog of Homebrewed apps, half a dozen tops.
Don't get me wrong, I want more apps like the next person, I want to build my own as well. More than that though I want a device that is not so easily hacked that anyone with some javascript and an email client can brick it or steal my identity.
Agreed. And, that was just a temporary hack anyway. There currently are non-rooting ways to install apps, so people can still work on them and develop more and stuff.
Just a matter of time before we've got a "public" way of doing it.
Updates tonight for Speed Brain, Infopedia, Mobile Craig's List, SplashID, NYT, Evernote, Citysearch...
Palm has already pushed it to my Pre. I delayed it but it will install at next charge. SLAM goes the door.
Be glad that we still have the access we do. When the time comes, I am sure there will be a better way to share apps.
Iam new to Pre, was very happy to have one of the greatest phone. I have been hoping and hoping to see some changes in better way, but haven't seen it yet. There were two webOS downloading/updating, whatever that did, I didn't notice anything but trouble. I can't reply my e-mails, there is no games to play, tell my co-workers, who owned iphones, any special features, etc...
Even, sprint tech specialist couldn't fix it. Fow two days in a row, the sprint tech tried to fix the problem, but gave up. What can I do???
I e-mailed my concern and problem to Brian Hernacki
Chief Security Architect, Palm Inc.
brian.hernacki@palm.com, but didn't get any reply.
Who can help me? Anyone????
Please!!!
Damn...That's why i can't get the download. I put the update in forst and just word on this site.
Want to leave a comment? Register for free!
In an effort to reduce comment spam, you need to log in to comment. Registration is fast, free, and easy and gives you access to comment, discuss the Palm Pre on the largest Pre forums on the 'net, enter contests, and much more. Join now!