Security/B2G/2013 10 29
From MozillaWiki
FirefoxOS Security Team Meeting
1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_10_22
News
- 1.2 Reviews https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdHNaNUFrQS00Q09FbUFZUmQ5eThpOFE#gid=0
- Gaia Re-Review https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AvtHAy6BmzDTdEVMMmZsMENrY3pKNC1Va3ZMM01haGc#gid=0
- Roadmap https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdHRPbFd0dXZWaTJYby1Ta3hrRzQ5Nmc#gid=0
- Welcome Stephanie
- welcome frederik \o/
- weekly meetings
- [dveditz] there is an add-on that exposes nss crypto functions via ctypes
- "Evaluate security concerns of add-on exposing NSS APIs to web content"
- https://bugzilla.mozilla.org/show_bug.cgi?id=930774
- contains an implementation of a prelilminary WebCrypto API
- [cr] could http://www.networkworld.com/news/2013/102913-apple-ios-attacks-275318.html be a problem on fxos, too? iOS apps cache "301 - moved permanently" HTTP redirects persistently
- * dan will know (if only we required certain apps to use an https backend :))
"The problem is not a vulnerability in iOS itself but a coding weakness on the part
of the developer." per the article. Using TLS prevents the attack.
insecure HTTP web apps (or packaged apps loading http resources) could
be vulnerable.
-- is there no way to clear the cache or cookies on Firefox OS?!
* I think we treat 301 more like 302, we make no effort to remember permanently
beyond the lifetime of the cache entry
- tracking bug created: https://bugzilla.mozilla.org/show_bug.cgi?id=932481
- possibly related older bug: https://bugzilla.mozilla.org/show_bug.cgi?id=696595
- sandbox enabled on 1.2 geeksphone
- goal is for 1.3 for other phones - jld working on fixing bugs
- need to fix emulator
- tests don't correctly catch errors on try
- bug to update emulator kernel (required for seccomp)
- https://bugzilla.mozilla.org/show_bug.cgi?id=908659
stephanie's updates
- overview of fxos security docs on the wiki https://etherpad.mozilla.org/7QQnGXrez2
- 1.2 branched yesterday
- [cr] does everyone know about http://downloads.geeksphone.com/ ? all images (including nightlies) downloadable without password
- [cr] feature proposals:
- "lock to app"
- enabled via long power button push menu
- require PIN to switch to different app
- like a poor-man's guest mode
- "phone grab lock" theft mitigation
- phone locks if accelerometer detects shakes, locking out thieves in phone grab scenarios
- common attack. had that happen to a friend in Berlin
- "lock to app"
- [cr] first fxos malware claim emerged
- (mostly) see last week's meeting, but now there is a mozilla security blog post proposal currently under review
visibility at Engineering meeting? https://wiki.mozilla.org/Platform/2013-10-29
- https://wiki.mozilla.org/Modules/All#Contacts (tendency: obsolete)
- component owners for b2g
- https://etherpad.mozilla.org/component-owners
haida roadmap https://wiki.mozilla.org/FirefoxOS/Haida https://etherpad.mozilla.org/haida-summit
Weekly goals
- rfletcher looks at bluetooth in fxos and buffer overflow risks
- stephanie wants to look at the system app and haida
- freddy will have to work on his backlog of web security reviews
Goal Status Updates
- [cr] marketplace tools - challenge getting developer time
- kill switch (in progress)
- blacklisting URLs
- suggested regular marketplace/security strategy meeting, dbialer will suggest a time
- [cr] integrate key material in contacts
- ongoing design phase, internal rfc coming up
