canmove, Confirmed users
1,220
edits
Reviews/B2G/AppUpdates: Difference between revisions
no edit summary
Ptheriault (talk | contribs) (Created page with "{{SecTracker |Component=B2G App Updates |Project=https://wiki.mozilla.org/Gaia/System/Updates/Apps }} {{SecTrackerItem |Sectrackerstatus=OK |Simpyn=No |DFD=N/A |bugs=N/A |Secrevi...") |
Ptheriault (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
=App Updates Security Review= | |||
==Overview== | |||
In bug 772404 (https://wiki.mozilla.org/Security/Reviews/B2GUpdates) we have looked at gecko and gaia updates. We also need to review the update process for third party apps, which is the purpose of this bug. | |||
==Architecture== | |||
The following components play a role in app updates: | |||
*Gaia System App | |||
**[http://mxr.mozilla.org/gaia/source/apps/system/js/update_manager.js update_manager.js]: This code is responsible for starting the process of checking for updates, manages queues of updates and downloads, and provides UI via notifications to alert the user of the various stages of the updates | |||
**[http://mxr.mozilla.org/gaia/source/apps/system/js/updatable.js updatable.js]: This code represents an update - either an app or system update. It has methods like download() and applyUpdate() and provides an object to register callbacks for progress updates. | |||
*Gecko | |||
** | |||
**[http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.jsm Webapps.jsm]: WebApps registry service handles the actual downloads of manifest at the request of the Gaia system app, passing the results back to the system app via WebApps.js | |||
**[http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.js]: This is the child process half of the webapps service, which talks to the parent via system messages. The system app (update_manager.js) calls methods on app objects which are defined by this file. | |||
<b>Open Questions</b><br> | |||
* What does the UI look like for app updates? Is it the same as for system updates (ie via the notification tray?) I see https://mxr.mozilla.org/mozilla-central/source/b2g/components/UpdatePrompt.js but not sure if this is only for system updates or for all updates. | |||
* Can individual apps be updated one at a time, i.e , for example, can an app request to check for an update to itself (or can the marketplace do this too?) | |||
==Data Flow Enumeration== | |||
Inside Gecko, Apps are represented by a [http://mxr.mozilla.org/mozilla-central/source/dom/interfaces/apps/nsIDOMApplicationRegistry.idl mozIDOMApplication] object, which has a [http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/Webapps.js#396 checkForUpdate]() function. | |||
==Threat Analysis== | |||
==Links== | |||
* https://wiki.mozilla.org/DevTools/Features/ResponsiveView | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=755953 - sec review | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=749628 - dev | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=751910 - ui review | |||
* https://bug749628.bugzilla.mozilla.org/attachment.cgi?id=619038 - screenshot | |||
[[Category:SecReview]] | |||