Jim Straus a écrit :
I definitely don't like the Android model. We'll have to figure out
exactly how to communicate permissions requests to users. On the other
hand, an appropriately vetted and signed app could be given permissions
implicitly in a permissions manifest, so the user doesn't need to deal
with it. Also, some kind of heuristics may make it possible for the
permissions manager to deal with things internally, again not bothering
the user. These are areas that need thought and experimentation.
The Android model is broken, but so was the permission pop-up model.
As ROC said some months ago, the <input type="file"> permission model
just happens to work properly. It can be the model for a good solution
if we properly understand why it works.
So what is needed IMO :
- Find a way to not ask the user at all
To get that :
- don't give the application access to no-GUI API layer that they can
abuse
- give them access to an entry point that controls the GUI of the
sensible part
- allows an application to call an interface with a GUI only when it
has focus
- opaque elements are a good pivot to make this work. They can render
safe something that would be very dangerous if not opaque.
- If that fails and you do have to ask, ask to allow a feature, never
ask to authorize access to some technical elements the average user
understand nothing about
- In some case, the GUI could just *inform* the user, instead of asking.
Maybe the user just needs to be informed that an app is currently
requiring his location.
- Role isolation can help too. Access to contacts is not actually
dangerous if you have no network access and cannot transmit them to
another application.
To implement that you will need :
- A list of preexisting modules that handle safely the most often needed
sensible functionalities
- An extensibility mechanism that will allow to create new modules to
handle cases that the preexisting one don't handle properly. It will be
long, slow and hard to create one compared to just creating a normal
application, and the code will have to be fully audited (probably only
open source modules will be possible)
- Application won't need any authorization, because they are not allowed
to do anything sensible directly. They may however be linked to a list
of the sensible module they use, so that you can audit that, and react
if one is a bit strange.
Also, we could end up with some module that will only be safe if the
application strictly limited in what else it can do.
In concrete terms : You would be allowed to request full and complete
access to contacts, but then you become a contact management application
that has access to *nothing* else. That would be the role isolation
protection layer.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security