Security/B2G/2013 4 29

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here:


   [cr] after tu-me review, cr's afraid of it
   [cr] private weekend side project:
   use it for fun and profit ^- likes!topic/
   should we be pushing an encryption API
   get proper implementation down in API before devs screw up individually
   lets look at other platforms
   On iOS - put/get OS takes care of storage
   Is profile accessible by non-root
   Unsure, though it looks like a lot of gecko has been made remote

Goals for this week?

Please add what you are working on over the next week(s): Current: [pt] WebRTC review [pt] mozContact API review [pt] WebNFC Review [dc] will look at some reviews [fb] bugbounty discussions, at least 1 review item [cr] get involved with mutimarket / metamarket [cr] get marketplace documentation up on mana

Goal Status Updates

FirefoxOS related security reviews (pauljt)

Develop and land tests for security features (dchan)

Tests got r+, fixing some minor bugs then looking to land Still need to file followups

Bug Bounty defined and ready to launch (freddyb)

   no updates. faq at

Create Firefox OS Security Feature Tracking & Prioritization (pauljt)

Compile Firefox OS issue register (pauljt)

Bugs created, please add bugs

Continue to document Firefox OS Security (pauljt)

no update

Document Update schedule & incident response procedure (pauljt)

Reviewed legal around updates

Firefox OS Sandboxing (kang)

   peak & keon have seccomp bpf support now
   discussions w/ agal & jonas to get seccomp bpf a requirement for b2g version x.y (still have to get ahold of agal)
   merge in /security/sandbox this week maybe?
   Policy regarding adding dangerous code to kernel? (memcow)
   Tested KSM, decent savings too (the whole Nuwa project should brings much more savings tho, due to a better process model)
   IRC: #boxing on (sandboxing)

Malware Defense Strategy (cr)

   [cr] tool for app package analysis prototyped
   might eperiment with sequitur