Security/Reviews/AppsOnSDcard: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) (Created page with " ==Storing apps data on the sdcard== Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage....") |
Ptheriault (talk | contribs) |
||
| Line 3: | Line 3: | ||
Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats: | Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats: | ||
* Sensitive app data might be disclosed | |||
* Apps will not be available if sdcard is not present | |||
* App data may be modified (both app code & data) | |||
===Threat Model=== | ===Threat Model=== | ||
Moving apps to the sdcard has an effect on a number of threat scenarios. | |||
* Lost device: | * Lost device: sdcard is more accessible, potentially exposing app data | ||
* Short-term physical access to device ('evil-maid' scenario) | * Short-term physical access to device ('evil-maid' scenario): removing and copying an sdcard is a more likely scenario than copy data off internal memory | ||
* Malicious docking station (e.g. malicious charging station) | * Malicious docking station (e.g. malicious charging station): usb mass storage controller may provide access to sdcard | ||
* Remote exploit through malicious apps/content | * Remote exploit through malicious apps/content: APIs (e.g. DeviceStorage) provide limited access to the sdcard | ||
=== Threats=== | === Threats=== | ||
Revision as of 03:33, 11 June 2013
Storing apps data on the sdcard
Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats:
- Sensitive app data might be disclosed
- Apps will not be available if sdcard is not present
- App data may be modified (both app code & data)
Threat Model
Moving apps to the sdcard has an effect on a number of threat scenarios.
- Lost device: sdcard is more accessible, potentially exposing app data
- Short-term physical access to device ('evil-maid' scenario): removing and copying an sdcard is a more likely scenario than copy data off internal memory
- Malicious docking station (e.g. malicious charging station): usb mass storage controller may provide access to sdcard
- Remote exploit through malicious apps/content: APIs (e.g. DeviceStorage) provide limited access to the sdcard
Threats
| Threat | Proposed controls |
|---|---|
| sdcard could be removed and accessed in another machine | Encrypt all data with device-specific key |
| sdcard can be accessed via USB mass storage | modify USB mass storage so that it only provides access to part of the sdcard |
| sdcard can be accessed via Device Storage API | modify Device Storage API so that it doesn't provide access to app data directories |
| weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | Set permissions with the same restrictions as /data |