RE: Web Security IG - a proposal of actions


Yes, I certainly agree with your point Virginie. I have a question: are we talking about the apps running in browser or host platform (sysapps?) or both ?

Anders, thanks for sharing the post, and also I believe many security needs can be fulfilled with proper level of abstraction. For example, SE API already -although being hidden- may exist for native apps, but you cannot use it without proper rights/permissions. This comes to the point Virginie just mentioned, it requires support from the execution environment also.

Maybe similar to my point about hardware component, and also see my post [1], related to key provisioning/storage, I think the app should be able to provide hints/constraints to the APIs and get more information about the key/certificate than what is usually provided by the APIs; basic needs I can think of is the nature of keys/key storage and if it is possible to relocate the keys (by extraction or by platform specific backup/restore). I think a similar discussion is going for Firefox OS also in [2]



From: GALINDO Virginie <>
Sent: Thursday, October 17, 2013 16:45
To: Anders Rundgren;; Mete Balcı
Subject: RE: Web Security IG - a proposal of actions

Anders, Mete, and all,

I guess that the security analysis of web app on mobile, should address the entire life cycles of the webapps, meaning :
- app design (including functions made available to the developers)
- app packaging
- app deployment/update
- app usage (include the user granted rights)
My view is that the hardware component assumptions will only be a part of the problem.

We have here a reasonable number of ideas to open a wiki and start listing the perceived/existing problems... Will land in few days in our wiki [yes, we even have a wiki :)]

Any other idea to load our homework ?


-----Original Message-----
From: Anders Rundgren []
Sent: jeudi 17 octobre 2013 12:02
To: Mete Balcı
Subject: Re: Web Security IG - a proposal of actions

On 2013-10-17 11:16, Mete Balcı wrote:
> Hello Virginie and Dominique,
> I am also very interested on the topic -mobile security- and available for any discussion.
> I think one of the difficulties here is also that by saying native we
> sometimes/mostly refer to an hardware component or a software function
> with hardware support. Since I guess the standard cannot be based on a
> specific hardware feature, I believe some and correct level of
> abstraction is needed based on, as Dominique pointed out, the gaps
> seen by different industries, so the spec may not directly depend on whatever hardware there is, but the security concepts that is introduced by having such software/hardware components in the system.

Hi Mete,

This should be of interest:

A question arises: Can you actually abstract a security element API and still maintain end-to-end security?


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına gönderemez veya hiçbir şekilde kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz ve göndereni uyarınız. Gönderen ve POZITRON YAZILIM A.Ş., bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunamamasından, virüs içermesinden ve sisteminizde yaratabileceği zararlardan Şirketimiz sorumlu tutulamaz.

This e-mail and its attachments are private and confidential to the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient, you may not copy, forward, send or use any part of it. If you are not the intended recipient or the person who is responsible to transmit to the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments. The sender and POZITRON YAZILIM A.S. do not warrant for the accuracy, currency, integrity or correctness of the information in the message and its attachments. POZITRON YAZILIM A.S. shall have no liability with regard to the information contained in the message, its transmission, reception, storage, preservation of confidentiality, viruses or any damages caused in anyway to your computer system.

Received on Friday, 18 October 2013 07:18:51 UTC