(removing gaia to avoid cross-posting) On Sep 10, 2013, at 6:39 PM, Paul Rouget wrote:
> Paul Theriault wrote: >> (bcc dev-gaia) >> >> I have been discussing the security implications of remote debugging with a >> number of people and I wanted to through the question out to a wider >> audience. Remote debugging allows access to read any data in app and as such >> has implications for the scenario of when a user loses their phone. >> >> Do we want to allow the remote debugger to connect to any app? >> >> My proposal is that, for production devices, you should only be allowed to >> debug the apps you are developing. That is, the remote debugger will only >> connect to web apps and privileged apps pushed to the device via the >> simulator. It will _not_ connect to certified apps, or signed privileged >> apps installed from the store. The only exception to this i can think of is >> we probably support remote debugging of tabs within the browser app (and >> possibly bookmarked web pages opened by the system app). > > That would make me sad. We want to make the phone as hackable as possible, and > that would make the life of the certified and signed privileged apps > developers > harder (they might not have a developer phone, just a regular phone), and > regular developer won't have access to the code of other apps (to learn). I would like to see us at least implement this feature as a preference, so we (mozilla/partners) can make a call on a device by device basis, depending on whether or not the device is targeted at developers or end-users. > > Is the following the scenario you're trying to address here? > > Phone get stollen. The user didn't set a password. The thief can turn on > remote > debugging and then have access to the data of the user. Yes - from a data security perspective, being able to debug all apps, is equivalent to having root access on the phone. > But: > 1) the user didn't protect his phone > 2) he already has access to many things (emails, contacts, etc). > 3) he has access to the physical device, so to the sdcard (if any) > 4) because the user has access to the email, he can already do many things > (password recovery for example) > > So your proposal would prevent people to steal password only if: > the phone doesn't have a code, the phone is not rooted, the > phone doesn't have an accessible sdcard, passwords are not recoverable > via email. My proposal makes its more difficult for someone with physical access to a phone without a passcode to steal sensitive app data. If we limit which apps you can debug as I described above, in order to get access to app data, you still need root access to the phone. If we allow access to debug all apps, this bar is lowered, so that you can access the app data by enabling debugging. This weakening of security controls would apply to all users who do not set a passcode (most?), on devices which are not rooted (all except developer phones). The sdcard isn't protected regardless of this issue - the only way to protect the sdcard is to encrypt it. Email passwords not being recoverable by email (?) is missing the point that it is ALL data (cookies, indexeddb etc) > > Is that right? > > -- Paul _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
