3
edits
B2G App Security Model/Threat Model: Difference between revisions
B2G App Security Model/Threat Model (view source)
Revision as of 22:48, 16 March 2012
, 16 March 2012→Web App Spoofing
| Line 79: | Line 79: | ||
* Web Apps must be installed to gain permissions (ie websites on the same domain as a web app will not get the same permissions) | * Web Apps must be installed to gain permissions (ie websites on the same domain as a web app will not get the same permissions) | ||
* Trusted UI | * Trusted UI | ||
=== Privacy-invasive but non-malicious app === | |||
An application wants information about the user that the user is not comfortable sharing with the app. The application is not outright malicious; it follows FTC guidelines (e.g., it has a privacy policy). However, the user might not like what the app will do with his/her data. Some examples might be: | |||
* An app tags posts with your current location | |||
* An app turns the camera on for an optional chatting feature | |||
* An app collects contact lists for marketing purposes | |||
====Potential Countermeasures==== | |||
* Several of the countermeasures for the malicious web app case also apply here | |||
* Contracts between web sites/apps and the stores that distribute them | |||