Confirmed users
717
edits
B2G App Security Model: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 7: | Line 7: | ||
{{FeatureTeam | {{FeatureTeam | ||
|Feature product manager=Lucas Adamski | |Feature product manager=Lucas Adamski | ||
|Feature | |Feature lead engineer=Jonas Sicking, Chris Jones | ||
|Feature security lead=Paul Theriault | |Feature security lead=Paul Theriault | ||
}} | }} | ||
{{FeaturePageBody | {{FeaturePageBody | ||
|Feature open issues and risks= | |Feature open issues and risks=What unique types of apps do we support (local installed with special privileges, local installed with normal privileges, remotely hosted but locally installed, remote apps within browser)? | ||
Will applications need to be signed? (if so how, and what will be signed?) | Will B2G have an "installed apps" mechanism for installing static offline applications, or will all apps be loaded over the web (using Offline Web Application API as necessary for offline mode)? | ||
How should apps with "special" privileges be managed (identified, discovered, installed, updated)? Do they require a different security model? | |||
What restrictions should exist for code and content importing for apps? | |||
Which types of applications need to be signed? (if so how, and what will be signed?) | |||
How does an app store blacklist / revoke an application? | |||
Should permission requests/notifications happen at install time, at runtime, or both? | |||
Should permissions be opt-in or opt-out? | |||
Should apps be notified when permissions are denied for a given app, or should permission failures be indistinguishable from other failure modes? | |||
Exploit mitigations for in-content attacks (i.e. code injection, MITM) | |||
Exploit mitigations for memory-safety attacks (multi-process with restricted rights for app processes) | |||
|Feature overview=The B2G app security model governs how applications are discovered, installed, managed, run and updated. | |Feature overview=The B2G app security model governs how applications are discovered, installed, managed, run and updated. | ||
| Line 31: | Line 49: | ||
*Apps should not be vulnerable to common web vulnerabilities when granted significant privileges | *Apps should not be vulnerable to common web vulnerabilities when granted significant privileges | ||
*Ability to grant trust for certain highly sensitive privileges (such as phone dialing) may be restricted at the OS level to specific trusted parties | *Ability to grant trust for certain highly sensitive privileges (such as phone dialing) may be restricted at the OS level to specific trusted parties | ||
|Feature non-goals=This document does not try to define the broader B2G security model, nor does it define the Open Web Apps security model even though we expect that B2G will contain a superset of the latter's requirements. | |Feature non-goals=This document does not try to define the broader B2G security model, nor does it define the Open Web Apps security model even though we expect that B2G will contain a superset of the latter's requirements. | ||
|Feature functional spec=A threat model is being documented here: https://wiki.mozilla.org/B2G_App_Security_Model/Threat_Model | |Feature functional spec=A threat model is being documented here: https://wiki.mozilla.org/B2G_App_Security_Model/Threat_Model | ||