177
edits
B2G App Security Model/Threat Model: Difference between revisions
Jump to navigation
Jump to search
B2G App Security Model/Threat Model (view source)
Revision as of 01:02, 23 March 2012
, 23 March 2012→Potential Countermeasures
| Line 82: | Line 82: | ||
====Potential Countermeasures==== | ====Potential Countermeasures==== | ||
* Controls are largely the same as for vulnerable web applications - see above. | * Controls are largely the same as for vulnerable web applications - see above. | ||
* Code Signing is an effective control here (assuming static web apps). Signing with a key not stored on the hosting server so that compromise of the server doesn’t directly result compromised phones. | * Code Signing is an effective control here (assuming static web apps). Signing with a key not stored on the hosting server so that compromise of the server doesn’t directly result compromised phones. Again: for best results, this means adopting the full debian-like (or redhat-like) application distribution model, as documented and described in [[Apps/Security#Debian_Keyring_.28Package_Management.29_for_distribution_of_apps]] | ||
* Again: under people-based (GPG/PGP) PKI security, a compromised store is completely irrelevant, as the mere distribution of pre-signed, pre-vetted and pre-validated packages has ''nothing'' to do with the actual signing, vetting or validating. | |||
** In the full Debian-based Package Distribution Model, the user would never even see applications listed from a compromised store, because the full list of available applications, at that time, from that store has to be GPG-signed by the actual store's staff. | |||
** If the full list is not GPG-signed, the device simply refuses to accept the list of applications as valid. No packages will be downloaded from that store. | |||
** The only way to GPG-sign the full list of packages is to obtain (compromise) the GPG key of the staff operating the store. | |||
** The staff operating the store must operate best security practices regarding safe management of GPG keys, keeping the GPG key and its passphrase '''completely''' off of and away from the public-facing mirrors that distribute the actual store's apps. | |||
===Platform Vulnerabilities=== | ===Platform Vulnerabilities=== | ||