Security/Reviews/APK Factory: Difference between revisions
Jump to navigation
Jump to search
Full Query
(Created page with "{{SecReviewInfo |SecReview name=APK Factory |SecReview target=<bugzilla>
{
"id":"936725,896003"
}
</bugzilla>
}} {{SecReview}} {{SecReviewActionStatus |SecReview action ...") |
No edit summary |
||
| Line 6: | Line 6: | ||
} | } | ||
</bugzilla> | </bugzilla> | ||
}} | }} | ||
{{SecReview}} | {{SecReview | ||
|SecReview feature goal=* https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively | |||
====APK Builder web service==== | |||
* Two key services: | |||
** Given an Open Web App manifest (or packaged app), produce an Android .apk install file | |||
** Given a list of web app manifests and version numbers, determine which apps are out of date | |||
====Status==== | |||
* Working prototype - https://github.com/jhugman/synth-apks | |||
* Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40 | |||
* rforbes diagram: http://dl.dropbox.com/u/10060532/Screenshots/CZ67.png | |||
* Prereq: user has to allow install from other stores | |||
** ( corner case - .apks uploaded into Google Play store) | |||
* the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly | |||
* Main concern is Android keys,keys are per-app. You can't update an app if you lose the key. | |||
* Create Android apps for developers, so we need to create these keys and manage them. | |||
* Dolphin does something similar, they still use their browser to run them. | |||
* You must have Fennec installed, Android Intents are used to launch them | |||
* We're creating private keys and storing them. | |||
* We will tell developers that they can give us their private keys. | |||
storage, management. | |||
* Marketplace will have a UI for developers to update their keys. | |||
** High risk, obvious benefits? | |||
* Keys are per app, not per developer key across all your apps. | |||
**http://developer.android.com/tools/publishing/app-signing.html | |||
**Debug keys - reviewer, developer keys - for ad hoc builds of APKs | |||
*APK Signer - Use solitude again. | |||
**HSM can take many months... | |||
**It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO) | |||
* Upload dev key -> V2 | |||
* Access will be locked down via the marketplace. | |||
(IP Addresss OAuth...) | |||
* Fennec implements mozApps.install -> talks to APK Factory in the demo | |||
* Bundling on the fly can be a scaling detail... | |||
??? confusion around the production plan for the service | |||
|SecReview solution chosen=* Allows apps to show up in process manager as themselves | |||
* Allows for an install experience that users are familiar with | |||
|SecReview threat brainstorming=* Are the developers uploading their private key for signing? | |||
** Yes, moved to v2 | |||
* Is the Android and Fx app signature checked on install / launch? | |||
** Yes both are checked | |||
* HSMs to store the keys (like FxOS) - mainly if storing dev's own keys | |||
* otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk) | |||
* Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments. | |||
* An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file? | |||
* (AMO may have code or procedures to help here) | |||
*Multiple filenames in the zip file. | |||
}} | |||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status=None | |SecReview action item status=None | ||
}} | }} | ||
Revision as of 14:40, 20 November 2013
Please use "Edit with form" above to edit this page.
Item Reviewed
| APK Factory | |||||||||||||
| Target |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%); |
||||||||||||
{{#set:SecReview name=APK Factory
|SecReview target=
| ID | Summary | Priority | Status |
|---|---|---|---|
| 896003 | [theme] Support for Synthetic APKs (Fennec / Android) | -- | RESOLVED |
| 936725 | [SecReview]: APK Factory | -- | RESOLVED |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively
APK Builder web service
- Two key services:
- Given an Open Web App manifest (or packaged app), produce an Android .apk install file
- Given a list of web app manifests and version numbers, determine which apps are out of date
Status
- Working prototype - https://github.com/jhugman/synth-apks
- Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
- rforbes diagram:
- Prereq: user has to allow install from other stores
- ( corner case - .apks uploaded into Google Play store)
- the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
- Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
- Create Android apps for developers, so we need to create these keys and manage them.
- Dolphin does something similar, they still use their browser to run them.
- You must have Fennec installed, Android Intents are used to launch them
- We're creating private keys and storing them.
- We will tell developers that they can give us their private keys.
storage, management.
- Marketplace will have a UI for developers to update their keys.
- High risk, obvious benefits?
- Keys are per app, not per developer key across all your apps.
- http://developer.android.com/tools/publishing/app-signing.html
- Debug keys - reviewer, developer keys - for ad hoc builds of APKs
- APK Signer - Use solitude again.
- HSM can take many months...
- It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
- Upload dev key -> V2
- Access will be locked down via the marketplace.
(IP Addresss OAuth...)
- Fennec implements mozApps.install -> talks to APK Factory in the demo
- Bundling on the fly can be a scaling detail...
??? confusion around the production plan for the service
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
- Allows apps to show up in process manager as themselves
- Allows for an install experience that users are familiar with
Any security threats already considered in the design and why?
`
Threat Brainstorming
- Are the developers uploading their private key for signing?
- Yes, moved to v2
- Is the Android and Fx app signature checked on install / launch?
- Yes both are checked
- HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
- otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
- Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
- An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
- (AMO may have code or procedures to help here)
- Multiple filenames in the zip file.
{{#set: SecReview feature goal=* https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively
APK Builder web service
- Two key services:
- Given an Open Web App manifest (or packaged app), produce an Android .apk install file
- Given a list of web app manifests and version numbers, determine which apps are out of date
Status
- Working prototype - https://github.com/jhugman/synth-apks
- Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
- rforbes diagram:
- Prereq: user has to allow install from other stores
- ( corner case - .apks uploaded into Google Play store)
- the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
- Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
- Create Android apps for developers, so we need to create these keys and manage them.
- Dolphin does something similar, they still use their browser to run them.
- You must have Fennec installed, Android Intents are used to launch them
- We're creating private keys and storing them.
- We will tell developers that they can give us their private keys.
storage, management.
- Marketplace will have a UI for developers to update their keys.
- High risk, obvious benefits?
- Keys are per app, not per developer key across all your apps.
- http://developer.android.com/tools/publishing/app-signing.html
- Debug keys - reviewer, developer keys - for ad hoc builds of APKs
- APK Signer - Use solitude again.
- HSM can take many months...
- It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
- Upload dev key -> V2
- Access will be locked down via the marketplace.
(IP Addresss OAuth...)
- Fennec implements mozApps.install -> talks to APK Factory in the demo
- Bundling on the fly can be a scaling detail...
??? confusion around the production plan for the service |SecReview alt solutions=' |SecReview solution chosen=* Allows apps to show up in process manager as themselves
- Allows for an install experience that users are familiar with
|SecReview threats considered=' |SecReview threat brainstorming=* Are the developers uploading their private key for signing?
- Yes, moved to v2
- Is the Android and Fx app signature checked on install / launch?
- Yes both are checked
- HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
- otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
- Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
- An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
- (AMO may have code or procedures to help here)
- Multiple filenames in the zip file.
}}
Action Items
| Action Item Status | None |
| Release Target | ` |
| Action Items | |
| ' | |
{{#set:|SecReview action item status=None
|Feature version=` |SecReview action items=` }}