WebAPI/Security/OpenWebApp

From MozillaWiki
Jump to: navigation, search

Name of API: Open Web App API

Reference:

Brief purpose of API: The Open Web Apps JavaScript API is a programmatic interface for installing Web apps and for managing a client-side collection of Web apps that a user has installed.

General Use Cases:

  • Install an app - navigator.mozApps.install(url, [install_data])
  • A web page can check if it is installed - navigator.mozApps.getSelf()
  • Return a list of installed apps installed by this domain - navigator.mozApps.getInstalled()

Inherent threats:

  • Installation grants some minor additional privileges
  • Access to install an app on another domain introduces risks
  • Privacy (users can be identified by list of apps)

Threat severity: Low for Installation API, High for Management API

Regular web content (unauthenticated)

Use cases for unauthenticated code: Just the general cases as above.

Authorization model for normal content: Explicit for install (OS Mediated), Implicit for check status

Authorization model for installed content: Explicit for install (OS Mediated), Implicit for check status

Potential mitigations: getInstalled() only returns the apps installed by the current domain

Privileged (approved by app store)

Use cases for privileged code:

  • A "dashboard" can manage and launch Apps on the users behalf
  • A "dashboard" can monitor the state of logged in applications

Authorization model:

  • Explicit for Install, Launch and Remove Apps (OS Mediated)
  • Implicit for non-state changing operations related to querying about their own state

Potential mitigations:

  • uninstall() is a method of the application object itself. Since you can only get apps that you installed from (using getInstalled()) or yourself (using getSelf()) this mitigates the risks. [Fabrice] I don't think that a user expects one app to be able to silently uninstall another app just because it initiated the install in the first place.[Lucas]

Certified (system-critical apps)

Use cases for certified code: Same as trusted

Authorization model: Implicit

Potential mitigations:

  • Only certified apps can use mgmt.getAll() to see cross-stores installs. [Fabrice]
  • Warn when downloading large updates over cellular