Canmove, confirm
1,220
edits
Changes
→Proposals
== Proposals ==
=== App instance / version ===
* Possible definitions of what an app instance / version is
*# a static bundle of code authenticated by manifest + signature (or equivalent)
*# unauthenticated code loaded over any channel, from any origin
* loosely ordered from best to worst (descending) security wise
* 1) and 2) could work with additional security mitigationscontrols
* attacker can use option 2) as a proxy for malicious content
* attacker can use option 2) as proxy to paid app (buy once, share with world)
*** User visits widget.lol to install WidgetIncApp which contains a pointer to ACME Store
*** Runtime queries ACME Store to see what permissions should be given to WidgetIncApp
=== Security Requirements for Critical App Deployment ===
Still under heavy discussion. (Trusted Stores, Code Signing etc)
* Which permissions will be classed as sensitive
* what will the minimum bar be
* Will there even be a separate set of requirements, or will threats be mitigated by App Store processes instead?
=== [http://www.cs.utah.edu/flux/fluke/html/flask.html FLASK] and SELinux for enforcing permissions ===
