Security/B2G/Jan 29 2013

From MozillaWiki
< Security‎ | B2G
Revision as of 09:31, 30 January 2013 by Ptheriault (talk | contribs) (Created page with "==FirefoxOS Security Team Meeting== 1pm PST, B2G Vidyo room ===News === * Updates - status of FOTA updates? ** FOTA updates will be delivered by ZTE, not by mozilla ** 12 week ca...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room

News

  • Updates - status of FOTA updates?
    • FOTA updates will be delivered by ZTE, not by mozilla
    • 12 week cadence
    • No Mozilla provided update to end-user devices
  • Will dev (geekphone) phones be used internally?
    • No, geeksphone is an initiative run by telefonica, and these wont be used internally

Current/upcoming Reviews

High Priority:

  • Updates - review done, chasing up some action items and outstanding questions (some final changes are happening)
  • Browser API - Pauljt, this week if I can get devs.
  • Tethering - anyone have time to look at this? dchan
  • Gaia: Document a combined review/close these out somehow?
  • Web Activities (including system activities) - document and close out. pauljt

Goal Status

# FirefoxOS related security reviews (owner: pauljt)

# Document Firefox OS Security (owner: dchan)
* Open Web Apps Permission Model
** document each permission and what it allows
** document what a no permission app can do vs webcontent
* Firefox OS Security Architecture
    ** Gaia layer (system app, app lifecycle, UI security etc)
    ** Gecko (app sandboxing, activities, mozbrowser etc)
    ** Gonk layer ( process level isolation, file permissions, updates, signing infrastructure etc)


# Develop and land tests for security features (owner: dchan)
* yvan and dchan met with QA to discuss joint goals for B2g testing
** finish carryover goals first (permissions suite, webapi)
** then work on improving test harness and getting normal desktop tests running


# Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)
 * bug bounty, Firefox OS
 * provide material, how to engage?
 * hiring a third-party

# Drive OS-layer security improvement (owner: kang)
- ASLR waiting for review and/or gonk upgrade
- Seccomp discussions going on to get the kernel source from qualcom. not sure about the new dev phones (http://www.geeksphone.com/)

# Secure app developer/reviewer guidelines/tools (owner: rforbes)
* Mentee Stanley Wong working on a tool scan apps for security problems. Tool to be completed by mid-year - mainly focused on app security research atm, and identifying which areas to focus on.
* Dumped ideas in here: https://etherpad.mozilla.org/SecureWebAppDev
  • Automate XSS fuzzing - mgoodwin to investigate
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/B2G/Jan_29_2013&oldid=508694"