Security in Qtopia Phones

Trolltech's Qtopia SXE takes a stab at making open-source phones more secure.
Installation Time

After configuring the Package Manager to see the feed server, Qtopia reads a plain-text file named packages.list on the server. This file contains a list of all the packages available on the server, the domains the package is requesting, as well as the description, name, maintainer, size, license and md5sum of every package.

When users want to install a new package, they select it from a list. Users then are prompted with a dialog containing the specific domains that the application is asking to access (Figure 2). Users have a choice whether or not to install. The package then is downloaded to temporary storage, installed and sandboxed. By default, the untrusted packages live in /home/Packages, with the md5sum used as a directory name—for example, home/Packages/1e67fa93917fedb17f575fe0f2ee2cd8/bin/screenshot.

Figure 2. Package Installation

The Packages directory has a file structure, such as bin/lib/pics/, that symlinks to where the real binaries live. These symlinks use the md5sum in the name, such as 1e67fa93917fedb17f575fe0f2ee2cd8_screenshot → ../1e67fa93917fedb17f575fe0f2ee2cd8/bin/screenshot.

This file path is known to Qtopia, so it can find your shiny new application, and then adds it to the main applications list. This information now lives in the Qtopia content database. In previous versions of Qtopia, all this data simply lived in the filesystem, and Qtopia scanned to find the applications. The Package Manager then runs the sxe_sandbox script to create the LIDS rules for this application.


Users start an untrusted application by clicking on its icon from the main menu. In Qtopia versions previous to 4.3.0, the untrusted and installed applications were accessible from the Installed Packages application. To make sure an application tries to access only the domains it was granted, Qtopia monitors service access requests with SXEMonitor. If the application tries to access something it did not initially request, such as the phonecomm domain, a breach is registered (Figure 3). The application is terminated, and Qtopia alerts the user with a dialog. It also, however, sends the user an SMS message directly to the Messages inbox. If this application continues to create breaches, Qtopia disables the program completely.

Figure 3. Security Breach Alert

Figure 4. Installed Package in Main Menu

LIDS plays an integral part in all this. SXE works together with LIDS policies to make sure files that should not be accessible are not accessed. You must have LIDS enabled in the kernel to take advantage of SXE. The Mandatory Access Control (MAC) system in LIDS controls lower-level filesystem access. Without it, Qtopia can deny applications access to Qtopia services and tasks in the domain policies, but there would be nothing stopping an application from changing those access rights to something more advantageous for a malicious application.

Figure 5. Security Info Showing SXE and LIDS Status

A number of script templates ship with Qtopia, which live in etc/sxe_qtopia, that help with the creation of LIDS rules during both the root filesystem creation and package installation. The LIDS-enabled Greenphone writes these policy rules during the first boot after a flash of a system update. An operator can, of course, do this to the filesystem before deployment.

When integrators create a new application or service, they need to add them to Qtopia's etc/sxe.profiles file. This file contains a list of domains and the services and QCop messages associated with them. It is processed by Qtopia at install time to create SXE policies. Integrators also might need to add it to the Package Manager's source code, so it can display the domain's verbose characteristics to the user. This helps users make at least a knowledgeable choice as to whether to install the package. has two feeds set up with simulated malware packages to test, for both the 4.3.0 Greenphone ( and its SDK ( There, you can get the latest Greenphone SDK to try out yourself (Figure 6).

Figure 6. List of Fake Malware Packages on Feed

To enable a LIDS kernel, download the LIDS patches from the LIDS Web site, build the patched kernel, build the LIDS filesystem and configure the policy scripts. Qtopia comes with scripts to help define LIDS policies based on domains. For example, the script etc/sxe_domains/sxe_qtopia_bluetooth creates a LIDS rule like this: