I'd like to mention a specific case where the Android scheme fails
catastrophically: Lots of apps ask for permission to "modify and delete
USB storage contents" (that's from memory, the exact phrase may be
different). This _sounds_ really scary, and it is: IIUC apps with that
privilege _could_ completely erase the USB-visible storage if they
wanted. What most of those apps actually _need_ is the ability to
_create some files_ on the USB storage, and then possibly delete _those_
files later. That could be enforced (perhaps not with OS-level file
permissions given that we seem to still be stuck with FAT for USB
storage, but certainly by the B2G monitor) and that could be described
in a far less scary way.
It is, of course, even better if the monitor can infer user intention to
allow an app to create, update, or delete a _specific file_ from user
actions, powerbox-style.
zw
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
