Re: [Execution and Security Model] Proposal from Samsung Electronics

On 21/02/13 19:48, Jonas Sicking wrote:
> I actually think that specifying a 3rd level for "built in" or
> "certified" apps is something that we'll need to do. We are already in
> the Sysapps WG working on two APIs which at least in Firefox OS
> requires that security level. The Telephony API and the SMS API
> currently in Firefox OS is only exposed to "certified" apps.
> 
> Ideal is of course if we can some day change that and expose the API
> more widely. But I don't think that that will happen before we do the
> initial release of those APIs. And for Telephony we might never be
> able to expose it more widely due to regulatory requirements.

Those requirements should be made clear. On Android, you can have an
application that is allowed to make phone calls but (IIRC) you can't
receive phone calls with something else than the built-in dialer.
We should know what exactly *can't* be done and what can.

> Additionally, specifying a 3rd level is likely not going to be a lot
> of extra work.

True. That is why I do not object to add this level for the moment. We
can simply remove it later if it is not needed. However, even if it is
simple, I do not think we should add it simply for the Telephony API.

> But I definitely think that our ultimate goal should be to move as
> many of the APIs to as low level as possible. Or at least as much as
> possible for the various APIs to as low level as possible. So for
> example the SMS API might have a subset which is only exposed to
> certified apps, whereas the ability to be notified of incoming
> messages is exposed to privileged apps, and the ability to read the
> database of stored messages is exposed to normal apps. (Just to pull
> an example out of thin air).

Why would the SMS API be limited to certified applications? A privileged
application is an application that has been marked as privileged by a
store that has been marked as privileged by the runtime. Why should we
expect such an application to not behave correctly? If Firefox OS or
Tizen or Webinos trusts a store and that store trusts an application
whether because the code has been reviewed or the author is trusted. If
we still can't give the right to such an application to send SMS', we
are whether being too cautious or that means we do not believe the
security model is working and in that case, we should fix it.

--
Mounir

Received on Monday, 25 February 2013 17:46:08 UTC