Maybe I am wrong, but are not all offline web apps static web apps? My assumption was since the apps which require critical permissions are typically those which would need to be offline applications, and therefore the restriction wasn't a large one.
When I say static app, I don't necessarily mean hosted on infrastructure controlled by the store - to me that is a separate control as I tried to articulate in the Trusted Host control in my email) . As far as I understood the proposal, anyone can host their own app, on their own server, and then if a trusted store trusts them, then their app can be granted sensitive permissions. The benefits from a security perspective of a static app are reduced risk of web application vulnerabilities and/or malicious code - It is much more simple to review a static application, and it is possible to gain a very high level of assurance - a level which is not usually possible in dynamic web applications - static apps can be signed, to mitigate the risk of app host compromise, or a trusted third party changing the code after submission to the store - A static app can be reviewed to see how it is using the permissions granted to it - A static application can be reviewed to see if it contains malicious code (to an extent) If the app is served dynamically, what sort of controls would you propose to mitigate the threats of server compromise, loading unsafe code and web application vulnerabilities? On Mar 23, 2012, at 12:44 AM, Ben Francis wrote: > On Thu, Mar 22, 2012 at 1:50 AM, ptheriault <ptheria...@mozilla.com> wrote: > To me these controls are not mutually exclusive, but rather a series of > controls that provide mitigations against slightly different threats. > > 1. Require the app host to have SSL? > 2. Require the app to be static HTML/JS/CSS (and prevent loading of dynamic > code)? > 3. Require the app to be hosted on a Trusted App Host (i.e. under the stores > control, or a trusted third party)? > 4. Require code to be signed? > > These all mitigate different threats: > > - SSL mitigates network compromise > - Static apps are easier to review (reduce chance of vulnerable or malicious > code) > - Deploying from a trusted location (in theory) reduces the risk of change > code due to app host compromise > - Code signing (with effective key management) prevents static code from > being modified on the app host, network or device itself > > Perhaps I am oversimplifying here but to me its more a case of what security > features are we going to support in B2G. I think that 1& 2 are mandatory: > > Really? I thought that the whole point of Open Web Apps was that anyone can > host their own web app on their own web server, then allow their app to be > installed either directly from their own server or from a listing on multiple > competing app stores, not host the app on one store's trusted server. > > I understand this makes security very challenging, but how is what you > describe better than the status quo? > > Also, how many existing web apps have static HTML, CSS and JavaScript in > practice? > > Ben > > -- > Ben Francis > http://tola.me.uk > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
