Security/Fennec security checklist
Fennec Security Checklist
This document is intended as a handy checklist for people hacking on Fennec. If you make changes to Fennec that touch on any of the points covered in this list and the answer to the question asked is "no" (or you don't understand the question), it would be worthwhile talking to someone in security about the change.
Some of the items in this checklist might seem strange for those used to hacking on desktop Firefox (especially items around file permissions); it's worth remembering that the Android security model differs from what you may be used to.
File system access
- Is all data written stored on internal storage?
- Are files stored on the internal filesystem using the default permissions?
- Is data read from external storage adequately validated?
- Is private data in content providers marked with android:exported=false in the application manifest?
- Are all permissions requested strictly necessary?
- Are permissions defined for the application strictly necessary (do existing permissions not cover them)?
- Is networking the only way to implement this feature (e.g. for local IPC, is an Android Service unsuitable)?
- Are all ports bound restricted to only the interface needed (e.g. for local IPC are you only binding to localhost)?
- Is the application adequately ensuring connections are only from expected sources?
- Is the application ensuring data is valid prior to processing?
- Are the appropriate permissions specified for the receiver?
- Are intents sent directly when a specific receiver is expected (rather than relying on broadcast)?
- For sensitive intents, is the package of the sending application checked for appropriate permissions (think about android permissions equivalent to the receiver capabilities)?
- Do 'android:exported' Services have the appropriate permissions specified?
- Is data read into (or received by) the application sufficiently validated (e.g. user input, data from the network or filesystem)?
- Is data written out of (or sent from) the application appropriately encoded (e.g. data into sqlite)?
- Is data adequately protected at rest?