Security/B2G/Jan 29 2013
From MozillaWiki
Contents
FirefoxOS Security Team Meeting
1pm PST, B2G Vidyo room
News
- Updates - status of FOTA updates?
- FOTA updates will be delivered by ZTE, not by mozilla
- 12 week cadence
- No Mozilla provided update to end-user devices
- Will dev (geekphone) phones be used internally?
- No, geeksphone is an initiative run by telefonica, and these wont be used internally
Current/upcoming Reviews
High Priority:
- Updates - review done, chasing up some action items and outstanding questions (some final changes are happening)
- Browser API - Pauljt, this week if I can get devs.
- Tethering - anyone have time to look at this? dchan
- Gaia: Document a combined review/close these out somehow?
- Web Activities (including system activities) - document and close out. pauljt
Goal Status
- FirefoxOS related security reviews (owner: pauljt)
- Document Firefox OS Security (owner: dchan)
- Open Web Apps Permission Mode
- document each permission and what it allows
- document what a no permission app can do vs webcontent
- Firefox OS Security Architecture
- Gaia layer (system app, app lifecycle, UI security etc)
- Gecko (app sandboxing, activities, mozbrowser etc)
- Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)
- Open Web Apps Permission Mode
- Develop and land tests for security features (owner: dchan)
- yvan and dchan met with QA to discuss joint goals for B2g testing
- finish carryover goals first (permissions suite, webapi)
- then work on improving test harness and getting normal desktop tests running
- yvan and dchan met with QA to discuss joint goals for B2g testing
- Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
- bug bounty, Firefox OS
- provide material, how to engage?
- hiring a third-party
- Drive OS-layer security improvement (owner: kang)
- ASLR waiting for review and/or gonk upgrade
- Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)
- Secure app developer/reviewer guidelines/tools (owner: rforbes)
- Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
- Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev
Action Items
- Automate XSS fuzzing - mgoodwin to investigate