Security/Reviews/AppsOnSDcard: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) |
||
| Line 17: | Line 17: | ||
{|border=1 | {|border=1 | ||
|- | |- | ||
!Ref | |||
!Threat | !Threat | ||
!Impact | !Impact | ||
!Proposed controls | !Proposed controls | ||
|- | |- | ||
|R1 | |||
|sdcard could be removed and accessed in another machine | |sdcard could be removed and accessed in another machine | ||
|sensitive app data disclosed or modified | |sensitive app data disclosed or modified | ||
| Line 27: | Line 29: | ||
* Avoid storage of sensitive data on sdcard | * Avoid storage of sensitive data on sdcard | ||
|- | |- | ||
|R2 | |||
|sdcard can be accessed via USB mass storage | |sdcard can be accessed via USB mass storage | ||
|sensitive app data disclosed or modified | |sensitive app data disclosed or modified | ||
|modify USB mass storage so that it only provides access to part of the sdcard | |modify USB mass storage so that it only provides access to part of the sdcard | ||
|- | |- | ||
|R3 | |||
|sdcard can be accessed via Device Storage API | |sdcard can be accessed via Device Storage API | ||
|sensitive app data disclosed or modified | |sensitive app data disclosed or modified | ||
|modify Device Storage API so that it doesn't provide access to app data directories | |modify Device Storage API so that it doesn't provide access to app data directories | ||
|- | |- | ||
|R4 | |||
|weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | |weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | ||
|sensitive app data disclosed or modified | |sensitive app data disclosed or modified | ||
Revision as of 03:44, 11 June 2013
Storing apps data on the sdcard
Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats:
- Sensitive app data might be disclosed
- Apps will not be available if sdcard is not present
- App data may be modified (both app code & data)
Threat Model
Moving apps to the sdcard has an effect on a number of threat scenarios.
- Lost device: sdcard is more accessible, potentially exposing app data
- Short-term physical access to device ('evil-maid' scenario): removing and copying an sdcard is a more likely scenario than copy data off internal memory
- Malicious docking station (e.g. malicious charging station): usb mass storage controller may provide access to sdcard
- Remote exploit through malicious apps/content: APIs (e.g. DeviceStorage) provide limited access to the sdcard
Threats
| Ref | Threat | Impact | Proposed controls |
|---|---|---|---|
| R1 | sdcard could be removed and accessed in another machine | sensitive app data disclosed or modified |
|
| R2 | sdcard can be accessed via USB mass storage | sensitive app data disclosed or modified | modify USB mass storage so that it only provides access to part of the sdcard |
| R3 | sdcard can be accessed via Device Storage API | sensitive app data disclosed or modified | modify Device Storage API so that it doesn't provide access to app data directories |
| R4 | weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | sensitive app data disclosed or modified | Set file permissions with the same restrictions as /data |