OWASP in Paris : Diving in Firefox OS Security !

You might have heard about it, a new mobile operating system was announced few months ago : Firefox OS, by Mozilla.This mixing of a browser product together with the ‘OS’ word is not a typo. It is a new type of operating system, web based, which will get rid of the open-but-proprietary mobile operating systems. On a web-based operating system, web apps will be the application bringing the services to the user. And Mozilla, is offering to have HTML5/CSS3 web apps running on their Firefox OS. Together with special APIs, names Web APIs that will enable some mobile-phone related features, such as access to phone call, SMS, and few other nice things.

So, yes, Firefox OS has landed in the mobile area … and its security challenges too. Imagine : a web engine, on which you execute applications, based on the web security model, which main security constraint is the single origin policy (any resource used by a web app must be from the same origin). If the ambition is really to port any kind of service on the web, including the highly sensitive ones, this imposes to have more constraints on the application and execution model. And this is what Mozilla has been integrating in their OS design and application deployment scheme. This is this nice story that Paul Theriault @creativemisuse, Mozilla Corporation, came to tell in Mozilla Paris offices this week, during a meeting organized by OWASP French Chapter. Here are the basics to remember about the Firefox OS security model :

– There will be several categories of web app : normal web apps, privileged web apps, certified web apps.

– Normal webapps are the ones with the lowest right, they can *only* use HTML5 and CSS3.

– Privileged and certified web apps are accessing the Web APIs, and will be submitted to the user permissions. The user will have to grant access when the web apps will actually access those APIs.

– Certified web apps will the ones accessing sensitives Web API, related to the mobile phone system. At the moment, certified apps are only developed by Mozilla and built in the mobile device, before going on the field. The so-preserved APIs are the ones related to TCP socket, mobile network, system XHR, alarms…

– Each web app will have dedicated cache and cookies memory.

– Web apps and browser will run in a separate thread, allowing to preserve the permissions and isolation during execution.

A video is available there, and will definitely make you better understand the main challenges that Mozilla is facing with their crazy idea to put the web on a mobile.

And, as all the activities of Mozilla are public and open to contributors, the ones interested in security aspects can stay tuned on

Take Mozilla, Microsoft, Tony Stark…

Take Mozilla, Microsoft, Tony Stark, add a motivated team of volunteers, and you have the recipe to gather more than 130 people during a W3Café in Microsoft Conference Center in Paris, along the Seine. The W3C Café appealing program was made of great plenary presentations and workshops –  for the generous price of 5 euros ticket. Paris traffic jam made me missed the general presentation and when I joined the conference room, David Rousset @davrous was on stage, demonstrating with expertise and great sense of show the Internet Explorer 10 features [0]. David wrote in 5 minutes a simple webapp delivering RSS flow, with a look & feel compatible with the Windows 8 Metro style  Windows 8-style UI Windows 8 Modern UI and spirit. On the basis of free developers tools, with a mixing of standard HTM5, CSS and javascript and specific WinRT APIs (some people said in the room, well Microsoft as usual…) he optimized a bit the application look. In addition, David suggested that the seamless and efficient integration of developers tools and designers tools would in the end support peace the conflictual world of developers and designers, becoming best friends of the world. Demonstration of a very simple application made by an expert like David, playing the role of the schizophrenic nice developer and the bad designer was convincing… Real developers and real projects will have a chance to experience on Windows 8 and IE10 in October 2012, David said. (more…)