Re: Firefox OS Permissions

Paul - thank-you so much for this! We will pull in some of your comments into our permissions work which is currently being managed by Dom. I will also go speak to some of the FFOS team here at MWC! If you know who I should be looking out for let me know!

https://github.com/dontcallmedom/web-permissions-req

Thanks again!

Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com<mailto:nrooney@gsma.com> | +44 (0) 7730 219 765 | @thisNatasha | Skype: nrooney@gsm.org<mailto:nrooney@gsm.org>
7th Floor, 5 New Street Square, London EC4A 3BF


From: Paul Theriault <ptheriault@mozilla.com<mailto:ptheriault@mozilla.com>>
Date: Monday, 24 February 2014 01:34
To: Natasha Rooney <nrooney@gsma.com<mailto:nrooney@gsma.com>>
Cc: W3C Webmob Public <public-web-mobile@w3.org<mailto:public-web-mobile@w3.org>>
Subject: Re: Firefox OS Permissions

Hey Natasha,

On 24 Feb 2014, at 5:16 am, Natasha Rooney <nrooney@gsma.com<mailto:nrooney@gsma.com>> wrote:

Hey guys!

I was lucky enough to go along to the FirefoxOS event at mobile world congress tonight. I checked out some of the new devices and the apps running on them. One of the most interesting things was how the OS manages permissions. Inside of 'settings' the user can see a list of every app. When the app is selected the user can see the app author (this satisfies some regional legal requirements) and a list of each permission the app is using. The user can then select 'ask', 'deny' or 'grant' for each permission. Below are links to tweets with pictures. I liked the solution a lot, and would love to know what you guys think!

Note that the goal of the initial permission model was to allow users control over privacy-related permissions, whilst not bombarding users with prompts, or asking them permission questions that they couldn't reasonably understand. As such, all permissions must be declared in the application's manifest, but how we actually grant permission differs depending on this criteria of privacy & user understanding:
- Permissions the user can reasonably make a decision about (sharing location, photos, contacts etc) are granted as "prompt" during installation, meaning that prior to the first use of the API, the user will be prompted to allow access. These permission decisions can be reviewed and modified later in the settings app (which you show below).
- For all other permissions, access is granted as a result of marketplace security review, and not shown to the user. Initially it was planned to show all permissions in the settings app (what you have a screenshot of below) however after much debate, for version one we decided not to expose these permissions. This was for a number of reasons but mainly to avoid confusion for regular users. Power users can however use the App Manager (built-in to Firefox) to see all permissions of apps installed on their phone.

Unfortunately I am not at MWC, but there are security & privacy at our booth who would like to talk with you. Best bet is probably just to drop in, but I can put you in touch with individuals in this area if you would like.

Regards,
Paul

Paul Theriault
Security Manager, Firefox OS


https://twitter.com/thisNatasha/status/437618486047965184
https://twitter.com/thisNatasha/status/437617298678235136

Natasha

Natasha Rooney | Web Technologist | GSMA | nrooney@gsma.com<mailto:nrooney@gsma.com> | +44 (0) 7730 219 765 | @thisNatasha | Skype: nrooney@gsm.org<mailto:nrooney@gsm.org>
7th Floor, 5 New Street Square, London EC4A 3BF


This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email or call +44 207 356 0600 and highlight the error.


This email and its attachments are intended for the above named only and may be confidential. If they have come to you in error you must take no action based on them, nor must you copy or show them to anyone; please reply to this email or call +44 207 356 0600 and highlight the error.