Security/Reviews/Campaign management
Jump to navigation
Jump to search
Full Query
Please use "Edit with form" above to edit this page.
Item Reviewed
| Campaign management / product announcements for Firefox for Android | |||||||||||||
| Target |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%); https://wiki.mozilla.org/User:Mconnor/Current/Snippets_Service |
||||||||||||
{{#set:SecReview name=Campaign management / product announcements for Firefox for Android
|SecReview target=
| ID | Summary | Priority | Status |
|---|---|---|---|
| 774497 | [meta] Android product announcements | P1 | RESOLVED |
| 789296 | [Security Review] Campaign management / product announcements for Firefox for Android | P1 | RESOLVED |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);
https://wiki.mozilla.org/User:Mconnor/Current/Snippets_Service }}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- engage with users who are not using Firefox on android
- the app is installed but not being used
- gives them some content to try and encourage them to use Firefox
- messages taylored in various ways to appeal to the user
- days idel, handset, etc
- Where do we get te info on how many days idle, etc?
- Computed by the client - we'd like to use the info from the client - we can choose what to show based on as-yet decided rules.
- Where do we get te info on how many days idle, etc?
- days idel, handset, etc
- Intended to use Android notifications - using the b+w firefox icon, a title, short description and URL. Tapping opens Firefox to that URL.
- 3 questions
- How do we get things onto the device?
- Product read about Google Cloud Messaging and wanted to use it... The actual use case is "we want to show stuff on the device" - doesn't need Google Cloud Messaging to do this. All we really want is pull snippets.
- Pulled by client - hits a statically defined (overriden by pref) URL with some data. - Only omission identified so far is the android API version.
- This sends some info on the device (see mconnor's spec above)
- Fetching process is triggered by a backround alarm process: based on 3 criteria. Is Firefox running? Is the SD Card reconnected? Is the system booting? There's a checkbox which overrides this.
- Product read about Google Cloud Messaging and wanted to use it... The actual use case is "we want to show stuff on the device" - doesn't need Google Cloud Messaging to do this. All we really want is pull snippets.
- How is the pref obtained from Firefox by the service?
- Backround gecko process is run, it uses broadcast intents to send a pref-changed message
- How many people see and act on it?
- We can see how many see it based on the requests we get for the snippets. When they tap, we redirect and we get another request to measure.
- From these 2 sources we can see the numbers of people who see and who act on campaigns
- How do we get things onto the device?
- Connection questions
- Is the connection to the snippet service over SSL? Yes, it should be.
- Are the domains mentioned above the final values? No, arbitrary.
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
`
Any security threats already considered in the design and why?
- talking to correct snippet server?
- How do we make sure it's the correct URL
- There are 2 ways this can be written - we add a feature to fennec to write it
- You jump through hoops to use an addon to do this for you (via Java / JNI, etc).
- How do we make sure it's the correct URL
- What about MITM between device and snippet server?
- Can we make sure that the snippet URLs are allowed schemes (in this case, HTTP / HTTPS)
- Might it help to whitelist domains? Probably not...
- The redirect URL may be known - is there anything people can do by pinging this themselves?
- The URL contains a nonce which should reduce the likelihood of this (time, plus random element)
- Snippets in the sample spec show 4 attributes - you'll be looking for items by name - unknown items won't be looked at.
- Character sets? UTF-8
- rogue snippets?
- How about android malware that generates the same messages to the snippets client? Malicious android apps can do far worse things.
Threat Brainstorming
' {{#set: SecReview feature goal=* engage with users who are not using Firefox on android
- the app is installed but not being used
- gives them some content to try and encourage them to use Firefox
- messages taylored in various ways to appeal to the user
- days idel, handset, etc
- Where do we get te info on how many days idle, etc?
- Computed by the client - we'd like to use the info from the client - we can choose what to show based on as-yet decided rules.
- Where do we get te info on how many days idle, etc?
- days idel, handset, etc
- Intended to use Android notifications - using the b+w firefox icon, a title, short description and URL. Tapping opens Firefox to that URL.
- 3 questions
- How do we get things onto the device?
- Product read about Google Cloud Messaging and wanted to use it... The actual use case is "we want to show stuff on the device" - doesn't need Google Cloud Messaging to do this. All we really want is pull snippets.
- Pulled by client - hits a statically defined (overriden by pref) URL with some data. - Only omission identified so far is the android API version.
- This sends some info on the device (see mconnor's spec above)
- Fetching process is triggered by a backround alarm process: based on 3 criteria. Is Firefox running? Is the SD Card reconnected? Is the system booting? There's a checkbox which overrides this.
- Product read about Google Cloud Messaging and wanted to use it... The actual use case is "we want to show stuff on the device" - doesn't need Google Cloud Messaging to do this. All we really want is pull snippets.
- How is the pref obtained from Firefox by the service?
- Backround gecko process is run, it uses broadcast intents to send a pref-changed message
- How many people see and act on it?
- We can see how many see it based on the requests we get for the snippets. When they tap, we redirect and we get another request to measure.
- From these 2 sources we can see the numbers of people who see and who act on campaigns
- How do we get things onto the device?
- Connection questions
- Is the connection to the snippet service over SSL? Yes, it should be.
- Are the domains mentioned above the final values? No, arbitrary.
|SecReview alt solutions=' |SecReview solution chosen=' |SecReview threats considered=* talking to correct snippet server?
- How do we make sure it's the correct URL
- There are 2 ways this can be written - we add a feature to fennec to write it
- You jump through hoops to use an addon to do this for you (via Java / JNI, etc).
- How do we make sure it's the correct URL
- What about MITM between device and snippet server?
- Can we make sure that the snippet URLs are allowed schemes (in this case, HTTP / HTTPS)
- Might it help to whitelist domains? Probably not...
- The redirect URL may be known - is there anything people can do by pinging this themselves?
- The URL contains a nonce which should reduce the likelihood of this (time, plus random element)
- Snippets in the sample spec show 4 attributes - you'll be looking for items by name - unknown items won't be looked at.
- Character sets? UTF-8
- rogue snippets?
- How about android malware that generates the same messages to the snippets client? Malicious android apps can do far worse things.
|SecReview threat brainstorming=' }}
Action Items
| Action Item Status | In Progress |
| Release Target | ` |
| Action Items | |
| * Snippet poll must be over SSL - let's make sure. | |
{{#set:|SecReview action item status=In Progress
|Feature version=` |SecReview action items=* Snippet poll must be over SSL - let's make sure. }}