Paul Theriault wrote: > (bcc dev-gaia) > > I have been discussing the security implications of remote debugging with a > number of people and I wanted to through the question out to a wider > audience. Remote debugging allows access to read any data in app and as such > has implications for the scenario of when a user loses their phone. > > Do we want to allow the remote debugger to connect to any app? > > My proposal is that, for production devices, you should only be allowed to > debug the apps you are developing. That is, the remote debugger will only > connect to web apps and privileged apps pushed to the device via the > simulator. It will _not_ connect to certified apps, or signed privileged apps > installed from the store. The only exception to this i can think of is we > probably support remote debugging of tabs within the browser app (and > possibly bookmarked web pages opened by the system app).
That would make me sad. We want to make the phone as hackable as possible, and that would make the life of the certified and signed privileged apps developers harder (they might not have a developer phone, just a regular phone), and regular developer won't have access to the code of other apps (to learn). Is the following the scenario you're trying to address here? Phone get stollen. The user didn't set a password. The thief can turn on remote debugging and then have access to the data of the user. But: 1) the user didn't protect his phone 2) he already has access to many things (emails, contacts, etc). 3) he has access to the physical device, so to the sdcard (if any) 4) because the user has access to the email, he can already do many things (password recovery for example) So your proposal would prevent people to steal password only if: the phone doesn't have a code, the phone is not rooted, the phone doesn't have an accessible sdcard, passwords are not recoverable via email. Is that right? -- Paul _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
