MozillaWiki

B2G App Security Model/Threat Model: Difference between revisions

Page Discussion

B2G App Security Model/Threat Model (view source)

Revision as of 02:30, 27 March 2012

1,104 bytes removed ,  27 March 2012
→‎App Host Compromise
Line 67: Line 67:
=== App Host Compromise===
=== App Host Compromise===
Similar to the vulnerable web application case – a compromised server hosting a Web App would allow the attacker to execute actions on the phone with the permission of the compromised Web App.
Similar to the vulnerable web application case – a compromised server hosting a Web App would allow the attacker to execute actions on the phone with the permission of the compromised Web App.
('''NOTE: THIS IS AN ASSUMPTION.  The assumption in this case is that SSL (or other host-based PKI security) is to be deployed instead of GPG/PGP (or other people-based PKI security).  in people-based PKI security, SERVER COMPROMISE IS IRRELEVANT.  unless the store owner has been foolish enough to disregard basic security practices regarding keeping GPG private keys off of public-facing servers''')


====Potential Countermeasures====
====Potential Countermeasures====
* Controls are largely the same as for vulnerable web applications - see above.
* Controls are largely the same as for vulnerable web applications - see above.
* Code Signing is an effective control here (assuming static web apps). Signing with a key not stored on the hosting server so that compromise of the server doesn’t directly result compromised phones. However, signing is effectively introducing people-based security and is recognition of the fact that host-based security is ineffective. For best results, this means adopting the full debian-like (or redhat-like) application distribution model, as documented and described in [[Apps/Security#Debian_Keyring_.28Package_Management.29_for_distribution_of_apps]]
* Code Signing is an effective control here (assuming static web apps). Signing with a key not stored on the hosting server so that compromise of the server doesn’t directly result compromised phones.
* Under people-based (GPG/PGP) PKI security, a compromised host is completely irrelevant, as the mere hosting of pre-signed, pre-vetted and pre-validated packages has ''nothing'' to do with the actual signing, vetting or validating (being best carried out on a completely separate network or better on a completely network-isolated system)


=== App Store Compromise===
=== App Store Compromise===
Ptheriault
canmove, Confirmed users
1,220

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/412088"