Security/Reviews/AppsOnSDcard: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) |
||
| Line 15: | Line 15: | ||
=== Threats=== | === Threats=== | ||
{| | {|border=1 | ||
|- | |- | ||
!Threat | !Threat | ||
!Impact | |||
!Proposed controls | !Proposed controls | ||
|- | |- | ||
|sdcard could be removed and accessed in another machine | |sdcard could be removed and accessed in another machine | ||
|Encrypt all data with device-specific key | |sensitive app data disclosed or modified | ||
| | |||
* Encrypt all data with device-specific key, or | |||
* Avoid storage of sensitive data on sdcard | |||
|- | |- | ||
|sdcard can be accessed via USB mass storage | |sdcard can be accessed via USB mass storage | ||
|sensitive app data disclosed or modified | |||
|modify USB mass storage so that it only provides access to part of the sdcard | |modify USB mass storage so that it only provides access to part of the sdcard | ||
|- | |- | ||
|sdcard can be accessed via Device Storage API | |sdcard can be accessed via Device Storage API | ||
|sensitive app data disclosed or modified | |||
|modify Device Storage API so that it doesn't provide access to app data directories | |modify Device Storage API so that it doesn't provide access to app data directories | ||
|- | |- | ||
|weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | |weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | ||
|Set permissions with the same restrictions as /data | |sensitive app data disclosed or modified | ||
| Set file permissions with the same restrictions as /data | |||
|- | |||
|} | |} | ||
Revision as of 03:43, 11 June 2013
Storing apps data on the sdcard
Storage on the /data partition is limited. It is proposed to store some or all app data on the sdcard instead of the local device storage. This introduces a number of security threats:
- Sensitive app data might be disclosed
- Apps will not be available if sdcard is not present
- App data may be modified (both app code & data)
Threat Model
Moving apps to the sdcard has an effect on a number of threat scenarios.
- Lost device: sdcard is more accessible, potentially exposing app data
- Short-term physical access to device ('evil-maid' scenario): removing and copying an sdcard is a more likely scenario than copy data off internal memory
- Malicious docking station (e.g. malicious charging station): usb mass storage controller may provide access to sdcard
- Remote exploit through malicious apps/content: APIs (e.g. DeviceStorage) provide limited access to the sdcard
Threats
| Threat | Impact | Proposed controls |
|---|---|---|
| sdcard could be removed and accessed in another machine | sensitive app data disclosed or modified |
|
| sdcard can be accessed via USB mass storage | sensitive app data disclosed or modified | modify USB mass storage so that it only provides access to part of the sdcard |
| sdcard can be accessed via Device Storage API | sensitive app data disclosed or modified | modify Device Storage API so that it doesn't provide access to app data directories |
| weaker file permissions on sdcard may may exploitation of gecko vulnerabilities easier | sensitive app data disclosed or modified | Set file permissions with the same restrictions as /data |