App Updates Security Review

Overview

In bug 772404 (https://wiki.mozilla.org/Security/Reviews/B2GUpdates) we have looked at gecko and gaia updates. We also need to review the update process for third party apps, which is the purpose of this bug.

Architecture

The following components play a role in app updates:

• Gaia System App
  • update_manager.js: This code is responsible for starting the process of checking for updates, manages queues of updates and downloads, and provides UI via notifications to alert the user of the various stages of the updates
  • updatable.js: This code represents an update - either an app or system update. It has methods like download() and applyUpdate() and provides an object to register callbacks for progress updates.
• Gecko
  • Webapps.jsm: WebApps registry service handles the actual downloads of manifest at the request of the Gaia system app, passing the results back to the system app via WebApps.js
  • [1]: This is the child process half of the webapps service, which talks to the parent via system messages. The system app (update_manager.js) calls methods on app objects which are defined by this file.

Open Questions

• What does the UI look like for app updates? Is it the same as for system updates (ie via the notification tray?) I see https://mxr.mozilla.org/mozilla-central/source/b2g/components/UpdatePrompt.js but not sure if this is only for system updates or for all updates.

Data Flow Enumeration

Inside Gecko, Apps are represented by a mozIDOMApplication object, which has a checkForUpdate() function. Apps can request to check for an update to themselves, or the system app also checks for app updates as part of a global update check (by setting the gaia.system.checkForUpdates setting to true, which is picked up by update_manager.js)

Check for App Update

Either way, the process to check for an update to an individual app is as follows:

1. Check each app to see if there is an available update
2. If there is an update for an app, the process depends on whether the app is packaged/hosted or removable/non removable:

• Non-removable Packaged Apps (http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#1225)
  1. No updated as part of webapps process - these are updated with a system update process

• Non-removable Hosted Apps (http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#1230 onwards)
  1. Just check if new app cache manifest is available
  2. If so, do async download of manifest contents

• Removable Packaged Apps (http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#1122)
  1. Send a 'Webapps:CheckForUpdate:Return:OK' event (from webapps.jsm)
  2. Set properties of the update on the app object, then fire a downloadavailable event
  3. Event caught in system app (updatable.js) which adds itself updates queue in update manager (UpdateManager.js)

• Removable Hosted Apps (http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm#1149)
  1. Update web apps registration (system messages & web activities)
  2. Store the new manifest
  3. Update the webapps registry
  4. If not updatable then send Webapps:CheckForUpdate:Return:OK message to fire a downloadapplied event
  5. Else, Start app cache update (nsOfflineCacheUpdateService::CheckForUpdate)
  6. Observer for this update sends Webapps:CheckForUpdate:Return:OK, when check has been done.
  7. downloadapplied/downloadavailable event caught in system app (updatable.js) which adds itself updates queue in update manager (UpdateManager.js)

Download App Update

Threat Analysis

Links