MozillaWiki

Security/Reviews/AppStore: Difference between revisions

Page Discussion

Security/Reviews/AppStore (view source)

Revision as of 21:45, 13 March 2013

2,043 bytes removed ,  13 March 2013
Added threat 8
(Added threat 8)
 
(16 intermediate revisions by one other user not shown)
Line 27: Line 27:
|-
|-
| Product manager
| Product manager
| Ragavan Srinivasan
| Rick Fant
|-  
|-  
|Feature manager
|Feature manager
| -
| Caitlin Galimidi
|-  
|-  
| Engineering lead
| Engineering lead
Line 48: Line 48:
|-  
|-  
|QA lead
|QA lead
| -
| Krupa Raj
|-  
|-  
|UX lead
|UX lead
Line 61: Line 61:


== Open issues/risks ==
== Open issues/risks ==
* TODO Determine different purchase options and basic flow [https://docs.google.com/document/d/15qntg0vPwv_l5_FcyisGZkHV-8cHi3Yu1EEkmKua-lE/edit?hl=en_US&pli=1 link]
* TODO Determine actual data stored on mozilla servers from purchases
* TODO Determine data flow for checkout


== Stage 1: Definition ==
== Stage 1: Definition ==
Line 79: Line 74:
=== Use Cases ===
=== Use Cases ===
[https://wiki.mozilla.org/Apps#Published_docs Published Docs]
[https://wiki.mozilla.org/Apps#Published_docs Published Docs]
=== Data Types ===
==== User Data ====
{| {{table}}
| align="center" style="background:#f0f0f0;"|'''Data Name'''
| align="center" style="background:#f0f0f0;"|'''Description'''
| align="center" style="background:#f0f0f0;"|'''Origin'''
| align="center" style="background:#f0f0f0;"|'''Classification'''
| align="center" style="background:#f0f0f0;"|'''Temporal Length'''
|-
| payKey||identifier for payment specifics||paypal||private||ephemeral
|-
| refund token||submitted with paykey to facilitate refunds||paypal||private||stored
|-
| seller paypal email||identifier for paypal account||AMO||private||stored
|-
| invoice ID||uniquily identify transaction||AMO||private||stored
|-
| trackingID||uniquily identify transaction||AMO||private||stored
|-
| payment status||status of payment.  Completeted, failed, pending, etc||paypal||private||stored
|-
| refund status||status of.refund  Completeted, failed, pending, etc||paypal||private||stored
|-
| pre-auth key ||allows direct purchases to paypal||paypal||private||stored
|}
==== Seller Data ====
{| {{table}}
| align="center" style="background:#f0f0f0;"|'''Data Name'''
| align="center" style="background:#f0f0f0;"|'''Description'''
| align="center" style="background:#f0f0f0;"|'''Origin'''
| align="center" style="background:#f0f0f0;"|'''Classification'''
| align="center" style="background:#f0f0f0;"|'''Temporal Length'''
|-
| payKey||identifier for payment specifics||paypal||private||ephemeral
|-
| refund token||submitted with paykey to facilitate refunds||paypal||private||stored
|-
| seller paypal email||identifier for paypal account||AMO||private||stored
|-
| invoice ID||uniquily identify transaction||AMO||private||stored
|-
| trackingID||uniquily identify transaction||AMO||private||stored
|-
| payment status||status of payment.  Completeted, failed, pending, etc||paypal||private||stored
|-
| refund status||status of.refund  Completeted, failed, pending, etc||paypal||private||stored
|-
| pre-auth key ||allows direct purchases to paypal||paypal||private||stored
|}


=== Data Flows ===
=== Data Flows ===


==== Diagram ====
==== Diagram ====
[[file:Appstore_purchase_dfd.png]]
[https://wiki.mozilla.org/Apps/ID_and_Payments#Payments_Data_Flow_Diagram Data Flow Diagrams]
[[file:pre-auth.jpg]]
[[file:In-app payments.jpg]]


=== Architecture Diagram ===
==== Data Type Definition ====
[https://wiki.mozilla.org/Apps/ID_and_Payments#Payments_Data_Types Data Types]


== Stage 2: Design ==
== Stage 2: Design ==
Line 157: Line 98:
| align="center" style="background:#f0f0f0;"|'''Notes'''
| align="center" style="background:#f0f0f0;"|'''Notes'''
|-
|-
| 1||Compromise Paypal API Key||The Paypal API key is used for communication with paypal and identifies Mozilla.  If this key is leaked, it is possible to impersonate Mozilla to Paypal.||Separation of payment systems from the rest of AMO.  Incident response process to include communication with payal to disable API key.  Proper CEF logging key.||Skilled Attacker||12||3||4 – Reputation||
|-
|-
| 2||Compromise AMO database||Currently, customer's paypal information resides in the AMO database.  If the AMO database is compromised this would include paypal information.||Separation of payment data from the rest of AMO.  Incident response process to include communication with payal to disable pre-auth keys.  Proper CEF logging key.||Skilled Attacker||12||3||4 – Reputation||for an actual compromise, this would require the paypal API key as well.
| 1||Compromise AMO database||Currently, customer's paypal information resides in the AMO database.  If the AMO database is compromised this would include paypal information.||Separation of payment data from the rest of AMO.  Incident response process to include communication with payal to disable pre-auth keys.  Proper CEF logging key.||Skilled Attacker||12||3||4 – Reputation||for an actual compromise, this would require the paypal API key as well.
|-
|-
| 3||malicious access to apps device ||If a phone is stolen or given to a friend/family member, it is possible for that person to make purchases.||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal wiht stolen phone.||Malicious User||12||3||4 – Reputation||In other systems (i.e. iOS, this i a configured parameter.
| 2||malicious access to apps device ||If a phone is stolen or given to a friend/family member, it is possible for that person to make purchases.||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal wiht stolen phone.||Malicious User||12||3||4 – Reputation||In other systems (i.e. iOS, this i a configured parameter.
|-
|-
| 4||Malicious extension could steal browserid credentials ||A rogue extension could possibly steal credentials or cause transactions to happen.||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.||Malicious Developer||12||3||4 – Reputation||It is not possible to siphon funds to any paypal account.  Must be registered with marketplace.
| 3||Malicious extension could steal browserid credentials ||A rogue extension could possibly steal credentials or cause transactions to happen.||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.||Malicious Developer||12||3||4 – Reputation||It is not possible to siphon funds to any paypal account.  Must be registered with marketplace.
|-
| 4||Malicious App creates fake iframe  ||An app could create an iframe in order to overlay a purchase iframe. ||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
|-
|-
| 5||Malicious App creates fake iframe  ||An app could create an iframe in order to overlay a purchase iframe. ||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
| 5||Malicious App creates fake iframe  ||An app could create an iframe in order to overlay a purchase iframe. ||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
|-
|-
| 6||Malicious App creates fake iframe  ||An app could create an iframe in order to overlay a purchase iframe. ||A PIN is to be implemented that is required for purchases and in-app purchases.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
| 6||XSS vuln could allow malicious user to force purchase ||If a XSS is found in the marketplace, this could be used to force a purchase. ||A PIN is to be implemented that is required for purchases and in-app purchases.  enable CSP on the marketplace site.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
|-
|-
| 7||XSS vuln could allow malicious user to force purchase ||If a XSS is found in the marketplace, this could be used to force a purchase. ||A PIN is to be implemented that is required for purchases and in-app purchases.  enable CSP on the marketplace site.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
| 7||CSRF could force purchase. ||If a XSS is found in the marketplace, this could be used to force a purchase. ||A PIN is to be implemented that is required for purchases and in-app purchases.  enable CSRF protection token on the marketplace site.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
|-
|-
| 8||CSRF could force purchase. ||If a XSS is found in the marketplace, this could be used to force a purchase. ||A PIN is to be implemented that is required for purchases and in-app purchases.  enable CSRF protection token on the marketplace site.  CEF logging on transactions to track excessive purchases.  Incident response to deal with stolen credentials.  Paypal account shows all purchases. ||Malicious App||12||3||4 – Reputation||
| 8||Compromise AMO web-heads ||An attacker able to run arbitrary code on the AMO web-heads can indirectly sign arbitrary web applications that are in the review queue (any web application that passed the automated scan) via the celery service. The attacker can also directly sign a web application by requesting the signing from the signing service, without any further check.||Mitigation possibilities are being discussed.||System access||12||3||4 – Reputation||
|-
|-
|}
|}
Line 263: Line 205:
=== Critical Security Requirements ===
=== Critical Security Requirements ===
PIN required for purchases and in-app purchases. https://bugzilla.mozilla.org/show_bug.cgi?id=759021
PIN required for purchases and in-app purchases. https://bugzilla.mozilla.org/show_bug.cgi?id=759021
Move paypal process to independent servers.  https://bugzilla.mozilla.org/show_bug.cgi?id=759055
Move paypal process to independent servers.  https://bugzilla.mozilla.org/show_bug.cgi?id=759055
https://bugzilla.mozilla.org/show_bug.cgi?id=759058
https://bugzilla.mozilla.org/show_bug.cgi?id=759058
temporarily encrypt pre-auth key: https://bugzilla.mozilla.org/show_bug.cgi?id=717444


== Stage 4: Development ==
== Stage 4: Development ==
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/435318...617022"