Re: [Execution and Security Model] Proposal from Samsung Electronics from Jonas Sicking on 2013-02-26 (public-sysapps@w3.org from February 2013)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 26 Feb 2013 15:11:18 -0800
To: Janusz Majnert <j.majnert@samsung.com>
Cc: public-sysapps@w3.org
Message-ID: <CA+c2ei9dMnTy=5_8L-zrgK2LqyZV1=nQd=tZpiy_VOG34h9R3w@mail.gmail.com>

On Tue, Feb 26, 2013 at 1:24 AM, Janusz Majnert <j.majnert@samsung.com> wrote:
>>> But I definitely think that our ultimate goal should be to move as
>>> many of the APIs to as low level as possible. Or at least as much as
>>> possible for the various APIs to as low level as possible. So for
>>> example the SMS API might have a subset which is only exposed to
>>> certified apps, whereas the ability to be notified of incoming
>>> messages is exposed to privileged apps, and the ability to read the
>>> database of stored messages is exposed to normal apps. (Just to pull
>>> an example out of thin air).
>>
>>
>> Why would the SMS API be limited to certified applications? A privileged
>> application is an application that has been marked as privileged by a
>> store that has been marked as privileged by the runtime. Why should we
>> expect such an application to not behave correctly? If Firefox OS or
>> Tizen or Webinos trusts a store and that store trusts an application
>> whether because the code has been reviewed or the author is trusted.
>
> On Android, would you trust all applications available via the Play Store?
> Or in other words - would you trust all of them the same? Or do you also
> look at user ratings, download numbers, who the author is, etc?
> You gave a good example in your other email, where you wrote about SMS API
> being abused by an app that was trusted enough to use it...

The goal of the security model used by Firefox OS is that users can
always safely install any application from anywhere. Installing an app
doesn't need any security or privacy decisions on the user's part.

I strongly feel that we should design the security model defined in
this group with the same goal.

The user will have to make some runtime decisions though. Like if
sharing pictures or sharing GPS location with an application is ok.
These are more like privacy decisions than security decisions though.
For these types of decisions I would expect the user to take into
account who the author is, where the application came from etc.

/ Jonas

Received on Tuesday, 26 February 2013 23:12:16 UTC