This is a particularly weird space because people have generally not been concerned about security in segments unlikely to be profitable to attack: Modder communities have generally been full of hacked or modified apps and operating systems, published by random unknown people all over the world, and generally haven't been that scary, because there's no financial incentive to attack. Attackers are generally looking for a large number of victims or particularly valuable targeted data.
Attacking the PinePhone is... ridiculous... there's almost no reason to do so, with few users, almost none of which who would pay a ransom or who has sensitive state actor data available. And the fact that it's such a useless attack vector is also why nobody had their guard up on executing code there.
When you execute a random file you got off the internet (even worse, with sudo) you don’t get to complain about the consequences. The rest of the story is pure fluff.
Android enforces robust sandboxing on all programs, so this would not have happened.
This is the security tradeoff that comes with the standard desktop model of computing, and people should be upfront about it when promoting phones running desktop operating systems
In this case, I definitely interpreted it as "baked into PinePhone" like the commenter.
Admittedly the same headline that says "iPhone Malware Surprises Users" would probably read the other way. It depends a bit on the subject. If it said "Lenovo Malware Surprises Users" I'd it expect it baked in too rather than just malware that just effects Lenovos.
> In this case, I definitely interpreted it as "baked into PinePhone" like the commenter.
Pinephone doesn’t make software, it just makes hardware. It’s philosophy is they make hardware that’s easy to hack. All the software is community maintained and not official.
I also read it as "baked into PinePhone".
As to why, well the headline didn't include the fact that the PinePhone ships with no software. So that's not information I had at the time.
What does it ship with? I don’t thing mine did, and Pine64’s philosophy was we make the hardware, you make the software, aside from PineBook’s KDE edition off the top of my head.
Attacking the PinePhone is... ridiculous... there's almost no reason to do so, with few users, almost none of which who would pay a ransom or who has sensitive state actor data available. And the fact that it's such a useless attack vector is also why nobody had their guard up on executing code there.