OWASP in Paris : Diving in Firefox OS Security !

You might have heard about it, a new mobile operating system was announced few months ago : Firefox OS, by Mozilla.This mixing of a browser product together with the ‘OS’ word is not a typo. It is a new type of operating system, web based, which will get rid of the open-but-proprietary mobile operating systems. On a web-based operating system, web apps will be the application bringing the services to the user. And Mozilla, is offering to have HTML5/CSS3 web apps running on their Firefox OS. Together with special APIs, names Web APIs that will enable some mobile-phone related features, such as access to phone call, SMS, and few other nice things.

So, yes, Firefox OS has landed in the mobile area … and its security challenges too. Imagine : a web engine, on which you execute applications, based on the web security model, which main security constraint is the single origin policy (any resource used by a web app must be from the same origin). If the ambition is really to port any kind of service on the web, including the highly sensitive ones, this imposes to have more constraints on the application and execution model. And this is what Mozilla has been integrating in their OS design and application deployment scheme. This is this nice story that Paul Theriault @creativemisuse, Mozilla Corporation, came to tell in Mozilla Paris offices this week, during a meeting organized by OWASP French Chapter. Here are the basics to remember about the Firefox OS security model :

– There will be several categories of web app : normal web apps, privileged web apps, certified web apps.

– Normal webapps are the ones with the lowest right, they can *only* use HTML5 and CSS3.

– Privileged and certified web apps are accessing the Web APIs, and will be submitted to the user permissions. The user will have to grant access when the web apps will actually access those APIs.

– Certified web apps will the ones accessing sensitives Web API, related to the mobile phone system. At the moment, certified apps are only developed by Mozilla and built in the mobile device, before going on the field. The so-preserved APIs are the ones related to TCP socket, mobile network, system XHR, alarms…

– Each web app will have dedicated cache and cookies memory.

– Web apps and browser will run in a separate thread, allowing to preserve the permissions and isolation during execution.

A video is available there, and will definitely make you better understand the main challenges that Mozilla is facing with their crazy idea to put the web on a mobile.

And, as all the activities of Mozilla are public and open to contributors, the ones interested in security aspects can stay tuned on https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s