MozillaWiki

Security/Reviews/APK Factory: Difference between revisions

Page Discussion

Security/Reviews/APK Factory (view source)

Revision as of 14:40, 20 November 2013

3,190 bytes added ,  20 November 2013
no edit summary
(Created page with "{{SecReviewInfo |SecReview name=APK Factory |SecReview target=<bugzilla> { "id":"936725,896003" } </bugzilla> }} {{SecReview}} {{SecReviewActionStatus |SecReview action ...")
 
No edit summary
Line 6: Line 6:
}
}
</bugzilla>
</bugzilla>
}}
}}
{{SecReview}}
{{SecReview
|SecReview feature goal=* https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively
====APK Builder web service====
* Two key services:
** Given an Open Web App manifest (or packaged app), produce an Android .apk install file
** Given a list of web app manifests and version numbers, determine which apps are out of date
====Status====
* Working prototype - https://github.com/jhugman/synth-apks
* Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
* rforbes diagram: http://dl.dropbox.com/u/10060532/Screenshots/CZ67.png
* Prereq: user has to allow install from other stores
** ( corner case - .apks uploaded into Google Play store)
* the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
* Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
* Create Android apps for developers, so we need to create these keys and manage them.
* Dolphin does something similar, they still use their browser to run them.
* You must have Fennec installed, Android Intents are used to launch them
* We're creating private keys and storing them.
* We will tell developers that they can give us their private keys.
storage, management.
* Marketplace will have a UI for developers to update their keys.
** High risk, obvious benefits?
* Keys are per app, not per developer key across all your apps.
**http://developer.android.com/tools/publishing/app-signing.html
**Debug keys - reviewer, developer keys - for ad hoc builds of APKs
*APK Signer - Use solitude again.
**HSM can take many months...
**It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
* Upload dev key -> V2
* Access will be locked down via the marketplace.
(IP Addresss OAuth...)
* Fennec implements mozApps.install -> talks to APK Factory in the demo
* Bundling on the fly can be a scaling detail...
??? confusion around the production plan for the service
|SecReview solution chosen=* Allows apps to show up in process manager as themselves
* Allows for an install experience that users are familiar with
|SecReview threat brainstorming=* Are the developers uploading their private key for signing?
** Yes, moved to v2
* Is the Android and Fx app signature checked on install / launch?
** Yes both are checked
* HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
* otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
* Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
* An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
* (AMO may have code or procedures to help here)
*Multiple filenames in the zip file.
}}
{{SecReviewActionStatus
{{SecReviewActionStatus
|SecReview action item status=None
|SecReview action item status=None
}}
}}
Curtisk
canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/766835"