On Wed, Apr 11, 2012 at 5:46 PM, Lucas Adamski <[email protected]> wrote:
> How do we determine a size/shape/look&feel of this button that will work
> with a wide variety of apps? I browsed around a bit and it seems like
> camera apps use a wide variety of button shapes/colors for the shutter.
>
This is true, a standard button might not fit perfectly with all designs.
But I also don't believe it will ruin any designs. I'm not a graphic
designer -- but I suspect that a fairly neutral button could be selected
that would be both easily recognizable by users and inoffensive to the
aesthetics of UI designers.
> What about an app that wants to take a picture on a time delay, say once a
> minute (but doesn't want a video feed)?
>
You could create an API call specifically for time delay photos, and the
timeframes that are covered by it would be treated like a video feed with
respect to the UI that the user sees. There really isn't much of a
difference between recording video and snapping a frame once a minute in
terms of privacy, so it makes sense to show them the same way to the user;
the main difference is the amount of battery that it drains (which can be
handled by a specific time-delay API call).
> It seems like the consistent recording notification indicator is the key
> security mitigation. Is the required button due to concerns a user might
> be tricked into enabling the camera without realizing they are? Or is this
> a more specific concern for web content rather than installed apps?
In many cases, I do agree that a notification is sufficient. However, I
think that in instances where the action cannot be undone, a notification
is not enough. Once a photo is taken, it's taken and possibly already off
your phone.
> As with anything HTML, clickjacking is a concern.
This is a good point. Clickjacking could be addressed by designing a way
to ensure an element is "on top" (a master z-index?) and also ensuring that
the button is visible for at least {the time it takes for a human to
recognize a button}+1 before it can be pressed.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
