1 / 19

Firefox OS Security

Firefox OS Security. Paul Theriault, Sept 2013. Firefox OS Components. Gaia - User interface Gecko – Browser Runtime Gonk – underlying Linux OS, firmware etc Third-party Apps - HTML/JS/CSS Apps. Gaia. Collection of web apps which run all UI https :// github.com /mozilla-b2g/ gaia. Gecko.

nantai
Download Presentation

Firefox OS Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Firefox OS Security • Paul Theriault, Sept 2013

  2. Firefox OS Components • Gaia - User interface • Gecko – Browser Runtime • Gonk – underlying Linux OS, firmware etc • Third-party Apps - HTML/JS/CSS Apps

  3. Gaia • Collection of web apps which run all UI • https://github.com/mozilla-b2g/gaia

  4. Gecko • Web APIs navigator.telephony.dial('5551234') navigator.mozTCPSocket.open("www.mozilla.org", 80); • Gaia Glue (see shell.js) • GonkGlue (communication with daemons etc)

  5. Gonk • Lower-level operating system • Linux kernel and HAL (Hardware Abstraction Layer) • Open-source lbs: libusb, bluez ... • Android libs: GPS, camera ...

  6. Firefox OS Web Apps • HTML, JavaScript, CSS • Defined by location of manifest file • Has to be installed • Can be hosted remotely or in a local package

  7. Challenge #1 Make the web trusted.

  8. Permission Model

  9. Types vs Permissions • Regular Content : Geolocation, Fullscreen • Web apps Sensor API, Alarm API • Privileged apps : Camera API, Alarm API, TCP Socket, Contacts API, Device Storage API, Browser API, WiFi Information API, MobileNetwork API • Certified : Background services, WebSMS, WebTelephony, WebBluetooth, MobileConnection API, PowerManagementAPI, Push Notifications API, Settings API, Permissions API, FM Radio Full list

  10. CSP • Content Security Policy • https://developer.mozilla.org/Apps/CSP • No Remote scripts (include them in your app) • No dynamic script (onclick=“”, eval, Function(), etc) • No remote styles

  11. Web Activities • Provides a mechanism for web apps to access restricted APIs, by asking other apps to get data on their behalf • Also use for user-mediated inter-app communication Full list of activities

  12. Challenge #2 Give users control, while protecting them.

  13. Permission Checks • Permission checks performed at first API use • User has context of activity • Can install the app without granting permissions • Can change their mind later

  14. Permission types Explicit permissions • Location, contacts, images ,audio, video etc. Implicit permissions • TCPSocket, mobilenetwork, systemXHR, alarms etc.

  15. Challenge #3 Protect apps from each other.

  16. Web App Sandbox

  17. System Architecture

  18. Getting Started • Getting started with apps • http://buildingfirefoxos.com • https://hacks.mozilla.org/ • Tablet Contribution Program

  19. Questions Security overviewhttps://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security/Security_model Email: pauljt@mozilla.com

More Related