Reviews/B2G/AppUpdates: Difference between revisions

Jump to navigation Jump to search

Reviews/B2G/AppUpdates (view source)

Revision as of 11:55, 23 January 2013

34 bytes removed ,  23 January 2013
→‎Threat Analysis
No edit summary
Line 84: Line 84:
* App isn't updated in a timely manner
* App isn't updated in a timely manner
** what could cause the initial update check to fail?
** what could cause the initial update check to fail?
*** What about if the update manifest is accidentally included in an appcache?
*** What about if the update manifest is accidentally included in an appcache? Not an issue, since Gecko does the retrieval of the manifest, so appcache doesn't apply.
*** Other possible DoS scenarios? Version number corruption?
*** Are there Other possible DoS scenarios? Version number corruption? Apps are updated if the previous manifest hash doesn't match the one which is retrived as part of the update check. So no issue.


* Unsigned update gets applied?
* Unsigned update gets applied?
Line 91: Line 91:


* Wrong app gets updated?
* Wrong app gets updated?
** Currently a compromised process could spoof the input parameter to checkForUpdate, so an app could trigger an update for another app. But the [http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#1106 update code] retrieves the app to update based on the manifest, and so while a compromised process could trigger updates for other apps, it can't provide any malicious parameters to that update. See bug 820206 for more info on attacks related to spoofing webapps:* system messages. But I dont think there is an issue here.
** "Currently a compromised process could spoof the input parameter to Webapps:CheckForUpdate message. See [https://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.js#455 here]. However the supplied appid (oid) paramemeter doesn't appear to be used in the parent (webapps.jsm) . So an app could trigger an update for another app, but not cause a mismatch.


* Partial update makes app unusable
* Partial update makes app unusable
** Can an app be half updated? (appcache yes? packaged no?)
** Can an app be half updated?
 
*** Hosted App with Appcache?
* App update is incompatible with the underlying gecko version?
*** Packaged apps: what happens in case of running out of diskspace which applying an update?  
** how do we address this? (not really a security issue though)


* Signed update gets applied to the wrong app?
* Signed update gets applied to the wrong app?
Line 103: Line 102:


* An old update get applied (perhaps introducing a security vulnerability)
* An old update get applied (perhaps introducing a security vulnerability)
* Active MITM attack against an app, forcing a update


==Links==
==Links==
Ptheriault
canmove, Confirmed users
1,220

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/504261"

Navigation menu