Security/B2G/Jan 29 2013

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room

News

• Updates - status of FOTA updates?
  • FOTA updates will be delivered by ZTE, not by mozilla
  • 12 week cadence
  • No Mozilla provided update to end-user devices
• Will dev (geekphone) phones be used internally?
  • No, geeksphone is an initiative run by telefonica, and these wont be used internally

Current/upcoming Reviews

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdE9SMm5xNzBwTk13UHBCcUdQazNUQ1E#gid=0

High Priority:

• Updates - review done, chasing up some action items and outstanding questions (some final changes are happening)
• Browser API - Pauljt, this week if I can get devs.
• Tethering - anyone have time to look at this? dchan
• Gaia: Document a combined review/close these out somehow?
• Web Activities (including system activities) - document and close out. pauljt

Goal Status

1. FirefoxOS related security reviews (owner: pauljt)
2. Document Firefox OS Security (owner: dchan)
   • Open Web Apps Permission Mode
     • document each permission and what it allows
     • document what a no permission app can do vs webcontent
   • Firefox OS Security Architecture
     • Gaia layer (system app, app lifecycle, UI security etc)
     • Gecko (app sandboxing, activities, mozbrowser etc)
     • Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)
3. Develop and land tests for security features (owner: dchan)
   • yvan and dchan met with QA to discuss joint goals for B2g testing
     • finish carryover goals first (permissions suite, webapi)
     • then work on improving test harness and getting normal desktop tests running
4. Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
   • bug bounty, Firefox OS
   • provide material, how to engage?
   • hiring a third-party
5. Drive OS-layer security improvement (owner: kang)
   • ASLR waiting for review and/or gonk upgrade
   • Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)
6. Secure app developer/reviewer guidelines/tools (owner: rforbes)
   • Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
   • Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev

Action Items

• Automate XSS fuzzing - mgoodwin to investigate