Confirmed users
448
edits
Marketplace/Reviewers/Apps/Testing: Difference between revisions
→Testing Procedure - *Privileged* Packaged Apps
| Line 74: | Line 74: | ||
* Check the app has a sensible name, summary, description and icon. The description should be extensive enough for a user to understand what the app does (you may need to revisit this after launching the app). If not, reject. | * Check the app has a sensible name, summary, description and icon. The description should be extensive enough for a user to understand what the app does (you may need to revisit this after launching the app). If not, reject. | ||
* | * Ignore the manifest url (view) link - its in the zip package. (To download the package for offline inspection, etc, click the 'package_path' link - this shouldn't be routinely necessary.) | ||
* In the version table at the bottom of the view load the validation report and | * In the version table at the bottom of the view load the validation report and look over any warnings/errors. | ||
* Then inspect the app contents via the 'contents' link. | * Then inspect the app contents via the 'contents' link. | ||
* The first file should be the manifest. | * The first file should be the manifest. Take note of any requested permissions in the manifest. There is a [[Marketplace/Reviewers/Apps/Permissions|Security Checklist]] of available APIs and what they might be used/abused for, as well as in-depth [https://developer.mozilla.org/en-US/docs/Web/Apps/Security_guidelines Security guidelines for developers and reviewers]. | ||
* Validate that each '''permission description''' in the manifest uses plain language to accurately and clearly describe the app's use of that permission. Take extra care with every permission that seems unusual or unnecessary for the app's designated purpose. | * Validate that each '''permission description''' in the manifest uses plain language to accurately and clearly describe the app's use of that permission. Take extra care with every permission that seems unusual or unnecessary for the app's designated purpose. | ||
* Read the | * Read the JavaScript in all the files one by one, in particular the .js files (thankfully inline js and external files aren't allowed by the CSP), paying attention to how any permissions requested are used. | ||
** If the code is minified or obfuscated then readable source should be requested via info request (there is canned response) | ** If the code is minified or obfuscated then readable source should be requested via info request (there is canned response) | ||
* It may be necessary to search for and inspect different parts of the files, or other files, to establish how a particular piece of code is used. The validator is your friend as it highlights possible issues, but beware of false positives, and false negatives! | * It may be necessary to search for and inspect different parts of the files, or other files, to establish how a particular piece of code is used. The validator is your friend as it highlights possible issues, but beware of false positives, and false negatives! | ||