Re: [sysapps/runtime] can user add another store apps?

On 23/03/13 07:11, Jonas Sicking wrote:
> The current runtime spec allows any website to act as a store. And
> since apps have all the capabilities of websites, that means that by
> extension you can write an app which is a store too.
>
> So you don't even need a webstore app. You could simply rely on using
> websites to do this.
>

Hi Jonas,

In previous messages you have mentioned that the goal of the security 
model is that "users can always safely install any application from 
anywhere" (see attached).  I had assumed that one of the ways in which 
this would be achieved is by expecting people to use only a few 
trustworthy app stores.  In combination with sensible API design and 
permissioning, of course.

However, from this email it appears that any application can potentially 
act as a store, and that websites can too.  I therefore see quite a big 
gap in the current security model in how to ensure only trustworthy 
stores & apps are used.  Would you or Mounir be able to clarify a few 
more details about how Firefox OS manages to bridge this gap?  What 
constraints is the runtime expected to place on app store 'installation'?

I think this is pretty important, as in regions where users stick to 
well-known app stores, there isn't a significant mobile malware problem 
[1].  In other places where 3rd party markets are more dominant (Russia, 
China, Iran) there are genuine malware issues.

Best wishes,

John

[1] "The Core of the Matter: Analyzing Malicious Traffic in Cellular 
Carriers" by Charles Lever, Manos Antonakakis, Brad Reaves, Patrick 
Traynor and Wenke Lee.   In Proceedings of the ISOC Network & 
Distributed System Security Symposium (NDSS), 2013. (This paper is hard 
to get hold of - I can email a copy if necessary)