- From: Peter-Paul Koch <pp.koch@gmail.com>
- Date: Wed, 7 Oct 2009 15:14:20 +0200
- To: "public-device-apis@w3.org" <public-device-apis@w3.org>
- Cc: "richard.tibbett@orange-ftgroup.com" <richard.tibbett@orange-ftgroup.com>
> Thanks for all comments. Nice to have a lively discussion :-) > > With my proposal I assume: > > * It is possible to securely verify the identity of the web application (typically a signed widget). Yes, but that does not make the widget safe. The problem is that a widget can import any JavaScript from the Web and execute it. Obviously, this downloaded script may contain insecure items, even when the widget itself doesn't. So a malicious author creates a widget that imports a perfectly innocent remote script, sends it in for review and signing, and as soon as the widget has passed the tests and is actually downloadable he changes the remote script to steal somebody's address book or whatever. This is why widget security is such a terribly complicated subject, and why signing is not the solution to our security problems. > * The mobile platform is capable of preventing any other applications than the application the secret information is aimed for from accessing the information. As I said earlier, any HTML/XML/JavaScript solution we can devise can easily be copied to another widget. Signing would be a different matter, but even signing does not make a widget safe. > This of course places restrictions on the usage of this API and places requirements on the devices implementing the API. I feel that the user should be asked for permission to access address books and such, and that this permission-asking is a browser or OS functionality that cannot be influenced by JavaScript. > I would like to take your comments to an internal discussion with our security experts and come back with more meat to the discussion later. Please do! Thanks,
Received on Wednesday, 7 October 2009 13:14:55 UTC