android-on-freerunner gives unauthorised users access via adb

[GoogleCodeExporter]

What steps will reproduce the problem?
android-on-freerunner gives unauthorised users access via adb over any
network interface.
tcp        0      0 0.0.0.0:5555           0.0.0.0:*              LISTEN

Please provide any additional information below.
Common seriously, didn't ANYONE THINK THIS WAS A VERY BAD IDEA. 

Original issue reported on code.google.com by Black.D....@gmail.com on 24 Jan 2010 at 1:59

[GoogleCodeExporter]

Please try do disable usb debug at
application settings -> development

If this help then it is easy to solve.

Greetings Serdar

Original comment by seder...@googlemail.com on 24 Jan 2010 at 2:40

[GoogleCodeExporter]

We should provide SSH on the device instead, it's got a long history of being 
the most 
secure communications protocol for such things. But obviously even that's not 
secure 
if enabled by default with a standard password. A better-seeming solution is: 
ask the 
user when they first boot up the phone what to do. If the device is only being 
used in 
a basement lab, the defaults might be OK. If it's a real phone that will be 
used, pick 
a password and checkbox to enable adb and/or ssh - both disabled by default.

Original comment by dp925...@gmail.com on 24 Jan 2010 at 3:30

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Thank you for putting the information on the front etc.
Some one said that this might go back to a Koolu commit. 
Also, to be clear i only tested wifi. 

Original comment by Black.D....@gmail.com on 24 Jan 2010 at 4:39

[GoogleCodeExporter]

dp925158,
WRT ssh, feel free to provide a patch.

Original comment by scarhill on 25 Jan 2010 at 12:47

[GoogleCodeExporter]

Disabled adb by default. To turn it on, go to Setting/Application/Development 
and 
check USB Debugging. If you turn it on it will still be listening on all 
interfaces.

Original comment by scarhill on 25 Jan 2010 at 4:57

• Changed state: Started

[GoogleCodeExporter]

Sorry to jump in, probably you have already thought about it but wouldn't it be
better to find a way to bind it only to usb? does it work via inetd? or is it
configurable?

Original comment by roberto....@gmail.com on 25 Jan 2010 at 12:24

[GoogleCodeExporter]

We are discussing different ways to make a long term solution. One way is as 
you say
to limit it to one interface in one way or another. But when looking into it a 
bit it
seems that we run adb in a non standard way for devices. As I understand it, it
should be possible to run adb in a way that limits it to using the usb only and 
makes
away with the networking part all together. I'm looking into this to see what
consequences positive and negative it may have.

Original comment by larlin...@gmail.com on 25 Jan 2010 at 1:16

[GoogleCodeExporter]

So long as people are aware of it, it is probably *ok*ish. The issue is then
obviously, a gprs / wifi connection that is to an untrusted network while using 
adb
over usb. Can we add a dialogue perhaps ? 

Original comment by Black.D....@gmail.com on 26 Jan 2010 at 3:52

[GoogleCodeExporter]

Even when USB debugging is on you cannot access ADB over USB until you 
explicitly allow it. this is a widget to allow you to do that: 

http://forum.xda-developers.com/showthread.php?p=7881237#post7881237

Original comment by bohl...@gmail.com on 31 Aug 2010 at 1:17