Security/B2G/Jan 29 2013

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room

News

  • Updates - status of FOTA updates?
    • FOTA updates will be delivered by ZTE, not by mozilla
    • 12 week cadence
    • No Mozilla provided update to end-user devices
  • Will dev (geekphone) phones be used internally?
    • No, geeksphone is an initiative run by telefonica, and these wont be used internally

Current/upcoming Reviews

High Priority:

  • Updates - review done, chasing up some action items and outstanding questions (some final changes are happening)
  • Browser API - Pauljt, this week if I can get devs.
  • Tethering - anyone have time to look at this? dchan
  • Gaia: Document a combined review/close these out somehow?
  • Web Activities (including system activities) - document and close out. pauljt

Goal Status

  1. FirefoxOS related security reviews (owner: pauljt)
  2. Document Firefox OS Security (owner: dchan)
    • Open Web Apps Permission Mode
      • document each permission and what it allows
      • document what a no permission app can do vs webcontent
    • Firefox OS Security Architecture
      • Gaia layer (system app, app lifecycle, UI security etc)
      • Gecko (app sandboxing, activities, mozbrowser etc)
      • Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)
  3. Develop and land tests for security features (owner: dchan)
    • yvan and dchan met with QA to discuss joint goals for B2g testing
      • finish carryover goals first (permissions suite, webapi)
      • then work on improving test harness and getting normal desktop tests running
  4. Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
    • bug bounty, Firefox OS
    • provide material, how to engage?
    • hiring a third-party
  5. Drive OS-layer security improvement (owner: kang)
    • ASLR waiting for review and/or gonk upgrade
    • Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)
  6. Secure app developer/reviewer guidelines/tools (owner: rforbes)
    • Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
    • Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev

Action Items

  • Automate XSS fuzzing - mgoodwin to investigate