- From: John Lyle <john.lyle@cs.ox.ac.uk>
- Date: Thu, 28 Feb 2013 15:09:14 +0000
- To: public-sysapps@w3.org
- Message-ID: <512F731A.3030405@cs.ox.ac.uk>
On 27/02/13 22:01, Mounir Lamouri wrote: > On 27/02/13 00:36, Jonas Sicking wrote: >> >That said, I still agree with what you are saying, we just have to be >> >very explicit about who makes which decisions. In Firefox OS the >> >runtime trusts a set of stores, and those stores decides which >> >applications should get access to which privileged APIs. Likely we'll >> >expand this so that Firefox OS trusts certain stores to only can hand >> >out certain privileges. > On 26/02/13 12:38, John Lyle wrote: >> >We discussed this issue internally within webinos. We assume that the >> >main value of an app store is in revocation rather than prevention*. >> >E.g., it gives the app store the ability to remove a malicious app, not >> >prevent it from being present on the app store in the first place. >> > >> >Unless the app store is charging developers a lot of money to submit an >> >application, it wont be cost-effective to review each application for >> >malicious behaviour. As a result, malware will definitely get through. >> >That's not to dilute the app store's importance: it makes the impact of >> >any malware much lower as it would hopefully be removed by the app store >> >fairly quickly after complaints are received. But it is only one of >> >several measures. > I think both systems should be allowed by the specification and I do not > think that the specification should forces a particular system. From the perspective of the security model, it would be worth defining the expectations on marketplaces with regards to application assurance. That doesn't mean defining what the app store / marketplace does, or how it does it, but it does mean spelling out the expectations that a runtime environment should have of applications distributed by a "trusted" app store. This is important, because I don't think you can define a common standard for a security model unless you make at least approximately the same assumptions about the capabilities and trustworthiness of applications and the threat they present. My opinion is that applications from most app stores are likely (on the whole) to be trustworthy. That's what we see in Google Play and other app stores today. However, app stores are fallible and there will always be some malicious applications available. In particular, any new or infrequently downloaded application could potentially be malware. > My > current idea is to have a chain of trust: > - the runtime trusts some marketplaces; > - the marketplace marks some applications as trusted. > If the user install an application marked as trusted by the marketplace > and the marketplace is trusted, the application will have access to > privileged APIs. I would prefer not to conflate 'marketplaces' and application certification authorities. I think they don't necessarily need to be the same entity. If I use a third party app store and then install some A/V product that provides application whitelisting, I get the same protection but I've separated out the two functions. I also think that app stores marking applications as 'trusted' might be too vague. App stores might have a whole vocabulary of tags to apply to a particular application which might then be used by the runtime to make better security decisions. But that's a question for those of us who are actually running app stores... > Then, it is up to the runtime to decide if the marketplace is > trustworthy and should be allowed to instal privileged applications. > (I wonder if the runtime SHOULD allow the user to mark a marketplace as > trusted?) I agree that each runtime will need to define its own policy with respect to the permitted authors and distributors of applications, as well as how side-loading fits in and whether these rules are modifiable. As mentioned previously, the manufacturer (or operator, or other party) may dictate the restrictions on certain APIs that the devices offer based on the author or distributor. I don't think it should be limited (by design) to the app store / marketplace. This is probably only a terminology issue. > I think that this solution is dynamic, can produce competition and > innovation. In other words, marketplaces can be a real ecosystem. I think we're on the same page - one of the aims in webinos was to try and make sure that marketplaces and runtime environments aren't tightly bound. So long as the security model is based around a realistic set of assumptions about the role of the app store, this should be quite achievable. Best wishes, John
Received on Thursday, 28 February 2013 15:09:41 UTC