Apps/Security
< Apps
Jump to navigation
Jump to search
API permissions
Dataflow
Link to diagram
What are we trying to solve?
We want to define API permissions taking into account the follow threats
- How to protect user from malicious app
- An app should not be able to perform more than it's manifest specifies
- How to protect user from MITM attack
- This may result in a malicious app scenario
- We don't want to leak a user's personal information (contacts, messages, voicemail, etc)
Proposed solution
- APIs should have separate permissions for read and write/modify.
- e.g. an app that only needs to check call state does not need access to perform calls
- APIs that need internet access should define what domains they need to talk to
- Manifest should be served over SSL
- doesn't protect against a compromised cert
- cert pinning may be a solution
- Manifest should be signed
- this will provide some "authenticity" in the event the developer doesn't use SSL
- perhaps hash with shared secret between developer and appstore?
- The rules can be relaxed depending on the set of permissions requested by the manifest
- Dialer app that only requests access to telephony and contacts
- If the app doesn't request permissions to write/send the data, we may not require the app to be served over SSL (though manifest would still have to be secured)
- if a MITM does occur in this case, an attacker can't send the data anywhere
- Dialer app that only requests access to telephony and contacts
Sensitive APIs
- Telephony
- potential for fraud
- WebSMS
- potential for fraud
- Contacts
- personal information