Apps/Security/Meeting-2012-03-23

From MozillaWiki
< Apps‎ | Security
Jump to: navigation, search

Action Items

  • Jonas - to clean up page - https://wiki.mozilla.org/Apps/Security (this page will be central point of knowledge for security models)
  • fligtar - to ensure MarketPlace decisions are documented and will send wiki link to mcoates
  • Lucas - to communicate to b2g mailing list that App security model discussions will happen on dev-webapps mailing list

Attendees

  • Michael Coates
  • Jonas
  • Mike Hanson
  • Bill Walker
  • James Straus
  • Ragavan
  • Justin Scott
  • Lucas Adamski

Agenda

  • Ensure ongoing security model development across B2G, MarketPlace, API are cohesive and in sync.
    • Are business requirements, terms, expectations thoroughy documented?
    • Need for single cohesive securtiy model
  • Provide visibility in security model selections.
    • Status of security model discussions across B2G / MarketPlace /WebApi
  • Validate assumptions and decisions must hold across all three environments.
    • Project Plans and deadlines
    • Planning to design together

Notes - Discussion

  • Web APIs - beginning of security model discussion

- discussions happening on open web apps and b2g lists, dev-security Lucas is bringing together ideas from each mailing list and documenting on a wiki page Need for defining terms [bwalker] Origin - App - mapping : documentation on MDN, this is different than B2G [hanson] providence of logic we're executing - packaging conversation, need to discuss user approval for packaging issues [bwalker] MarketPlace will be store for B2G

  • What security model decisions have been "made" and documented?

Apps: 

   one App per origin, manifest hosted at App origin
   App developers submitting Apps to Marketplace since MWC
   Manifest format - https://developer.mozilla.org/en/Apps/Manifest
   B2G phones will use Mozilla Marketplace (or white-labelled version) as their store
   FAQ: https://developer.mozilla.org/en/Apps/FAQs/About_app_manifests
   Apps should feel as much like Native Apps as possible.
   if users think we are selling them bookmarks, that's very bad
   Developers asks for permissions for app via Manifest - built into MarktePlace App review process
   Sensitive permissions require developer to explain why sensitive permision is requested
   Updates - MarketPlace checks manifest each day for any updates. Manifest permission changes require new review from review team
   Limiting permissions - no actions taken here for legal / compliance

B2G - None yet firm, tracked on https://wiki.mozilla.org/B2G_App_Security_Model Process: https://groups.google.com/group/mozilla.dev.b2g/browse_thread/thread/7627684f505aafc2#

API - very few thus far 

 [proposed] Grant installed apps unlimited access to storage APIs - no documentation
 [discussed] User control to overide allowed permissions

Terms/ideas that need to be defined?

  • Overall principles guiding our system/plan - we know them, but should have on wiki to point people to
  • Manifest - https://developer.mozilla.org/en/Apps/Manifest
  • #s of AppStores - should point to our strategy of supporting multiple apps
  • What is an "app" - Lucas has ideas here (in email)
  • Granting or permissions - who grants permissions? Users, stores? Can users restrict or grant permissions to an app?
  • Remembered Permissions - prompt every time, decacy prompting, manifest granted, store granted

Assumptions that are being held - correct?

APIs will prompt user before access is allowed

How do we move forward?

  • Cross post everything? No
  • One mailing list on security-model for all projects? No
  • Decided on using dev-webapps mailing list for all App related security models. Need peopel's assistance to push conversations to this list.
  • Need a central wiki with the above data - Apps Security Model (this includes B2G / APIs / MarketPlace)
Retrieved from "https://wiki.mozilla.org/index.php?title=Apps/Security/Meeting-2012-03-23&oldid=411193"