Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

LOL sorry yes, too early + sick ;-)

That aside, it feels to me the same, some versions work, some don't.



Why not stick with the version that works? I don't think I've seen this approach before but I do it for any app that doesn't seem like a security problem when out of date


"that doesn't seem like a security problem when out of date"

When spotify has access to your filesystem and the spotify app would get hacked and owned by another party due to an unfixed security hole, your filesystem still would get owned. (or are all android apps really sandboxed nowdays? I doubt it)


They don't have filesystem access, see the permissions overview in the OS settings for the app

But also how would the client be vulnerable in a way that leads to a compromise? Connecting to a domain that doesn't exist anymore? Even then it would need to download executable code, or exploit a bug that leads to it reading and uploading arbitrary files—if it had filesystem access in the first place. Working in the security industry, I never hear of people needing to update mobile apps for such a bug, it seems to be exceptionally rare. Most issues are server problems, direct object access (missing permission checks on invoice pdf downloads or so) or such

I do update things like SSH (yes, on my phone) because that actually exposes a port on the network, or email/messaging clients where anyone can send arbitrary content (how many times have we heard of image parsing bugs being exploited through a messaging system like SMS or WhatsApp?); that's not really the case for Spotify. There's attack vectors like the URIs that the app can handle, but it's not wormable in the same way because it requires user interaction and so won't go viral. It would be a specific attack and there's easier ways to target me

> (or are all android apps really sandboxed nowdays? I doubt it)

You might want to read up on this. They've always been isolated.


> don't think I've seen this approach before but I do it for any app that doesn't seem like a security problem when out of date

Besides security:

There are apps that don't like you lagging behind with updating, like whatsapp and epocrates. Since whatsapp needs internet, there is no way around it. Old versions of Epocrates could be isolated from internet for the offline content, but they fixed that this year, and you can't download the databases with an older version.


Ah sure, but in the example given (Spotify), it sounds like they're updating but then not liking the new version a lot of the time so I was curious why update then




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: