177
edits
Changes
no edit summary
= Secure Application Distribution =
== Proposals ==
= Other =
This section contains questions, sections and comments whose purpose has not been made clear, and open issues.
==== Kernel permissions manager ====
{lkcl.15mar12.2223hrs - it's not clear to me what this section refers to: a userspace application that interacts with the user to help them select the level of access that they wish to grant to a particular application, or to the actual kernel-side implementation that enforces the permissions, or a developer "assistance" suite of software which helps the developer to create the permission set that's to be associated with the application when it's installed}
* separate process that controls access to permissions
* responsible for
*# query permissions, true/false if permissions X is granted
*#* support for prompting user in event permission isn't granted
*# add / remove permissions
*# audit permissions
*# support observers for permission change
* permissions requested are based on "uri signatures"
** to be determined what the signature is: domain, partial url, other?
* permissions representation
** type - usb, web, radio, etc
** uri signature
** value
** source - user, manifest, system
** expiration type - never, time-based, session, other?
** expiration time
** allow message - for UI / prompting user
** deny message
* app obtains permission by querying / asking central process
* OS support required for properly constructing signature, app should not be able to influence this
** there needs to be a unique identifier than an app can't spoof
* permissions requests can be cached
** cache needs to be invalidated on permission change
=== Other (topics that don't fall into above proposals) ===
* Last updated March 14, 2012
* SSL should be used for content delivery
** can provide authentication for client-store communication
*** complicated compared to code signing since each mirror will either need same key or store/app needs to know each valid mirror
** provides end-to-end security
** does not address concerns of a malicious app
* W^X / NX for WebApps
* should the JS "eval" function have a permission added to it?
* bypassing the official package system speeds up app development
** at the risk of destabilising a system!
** should still be allowed though (with caveat that warranty just got voided)
** concept of /usr/local and /usr should be mirrored in B2G with e.g. /usr/gaia/apps and /usr/local/gaia/apps
* self-host discussion http://groups.google.com/group/mozilla.dev.b2g/msg/b079d34ccdec0f85
** The scenario is that we have an untrusted store attempting to sell an app which is hosted on a trusted store, how is this solved?
== Open questions ==
# What happens when a WebApp is revoked?
#* removed from store?
#* removed from user device?
#* refund?
# What is the identifier used when a WebApp is revoked?
#* origin (scheme + host + port)
#* certificate / hash embed inside WebApp manifest
# Should eval() and similar functions be considered sensitive APIs / restricted?
#* Adobe AIR restricts eval() in the application sandbox [http://help.adobe.com/en_US/air/html/security/WS485a42d56cd1964150c3d3a8124ef1cbd62-7ffe.html (docs)]
# Should self-signed certificates be allowed?
# What would be signed?
#* CSS
#* scripts
#* content
#* other
