I have replied to this thread a while back, but it looks like the mail never made it because Thunderbird. Here you go – hopefully not again.
-------- Forwarded Message -------- Subject: Re: [b2g] Granting Permissions to the Web Date: Tue, 10 Feb 2015 15:21:48 +0100 From: Christiane Ruetten <c...@mozilla.com> To: dev-b2g@lists.mozilla.org, security-f...@mozilla.com Hi all, I'd like to seize the opportunity to put out a radical permission concept idea that emerges interesting security properties by turning the permission system inside out. Traditional permission systems as implemented in FxOS focus on functionality: A photo book cloud app may access camera API, storage API, locations API, and may make SystemXHR requests. All these are powerful permissions that invite abuse, and reviewers need to spot all the obscure code misusing those privileges, for example, for stealing all the files or for silent user tracking. The proposal is to re-think permissions from the standpoint of data and data flow: The app may request picture objects from the camera API or storage API. The picture objects are decorated with .setLocation() and .postHttps(url) methods that it may call to have the photo geotagged and the content sent to the cloud storage. For this to work, it never even needs to access any of the raw pixel or location data involved, greatly reducing misuse potential. This way, apps are also forced to be explicit about their data handling. User interaction on top of such explicity becomes much more powerful and less abstract: "Photo App wants to geotag you camera photos, k?" and "May Photo App send this geotagged camera picture to facebook.com? (Yes/No/Always/Never/Just to facebook.com)”. For more advanced use cases, the photo object could be decorated with basic image processing functions (convolution, crop, scale, face recognition…). All the use cases that haven’t yet been anticipated could fall back to a .getRawPixels() getter method, providing a convenient hook for "The app wants access to the *content* of this picture" interaction with the user and a perfect opportunity for conveying this very profound difference. Likewise you can conceptualize a decorated contacts object that allows placing calls, opening p2p channels, encrypting data, sending messages, and all that without revealing to the app any of the personal data or key material involved. On the one hand, this only works well when the methods provided sufficiently cover use cases, such that few apps need to fall back to raw data access. On the other hand, much of the functionality can be shared among the various well-known data types handled on a mobile device. This by no means is thought through in the JS/FxOS and web permissions context, but it seems very powerful. I'm sure there are many pitfalls, so I’m eager to get your feedback. Best, cr -- Christiane Ruetten Mobile Malware Specialist Firefox OS Security
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g
