Apps/Security

From MozillaWiki
< Apps
Revision as of 17:02, 7 February 2012 by Dchan (talk | contribs) (→‎Dataflow)
Jump to navigation Jump to search

API permissions

Dataflow

[File:WebApp_DFD.png]

What are we trying to solve?

We want to define API permissions taking into account the follow threats

  1. How to protect user from malicious app
    • An app should not be able to perform more than it's manifest specifies
  2. How to protect user from MITM attack
    • This may result in a malicious app scenario
    • We don't want to leak a user's personal information (contacts, messages, voicemail, etc)

Proposed solution

  • APIs should have separate permissions for read and write/modify.
    • e.g. an app that only needs to check call state does not need access to perform calls
  • APIs that need internet access should define what domains they need to talk to
  • Manifest should be served over SSL
    • doesn't protect against a compromised cert
    • cert pinning may be a solution
  • Manifest should be signed
    • this will provide some "authenticity" in the event the developer doesn't use SSL
    • perhaps hash with shared secret between developer and appstore?
  • The rules can be relaxed depending on the set of permissions requested by the manifest
    • Dialer app that only requests access to telephony and contacts
      • If the app doesn't request permissions to write/send the data, we may not require the app to be served over SSL (though manifest would still have to be secured)
      • if a MITM does occur in this case, an attacker can't send the data anywhere

Sensitive APIs

  • Telephony
    • potential for fraud
  • WebSMS
    • potential for fraud
  • Contacts
    • personal information
Retrieved from "https://wiki.mozilla.org/index.php?title=Apps/Security&oldid=394831"