App Updates Security Review

Overview

In bug 772404 (https://wiki.mozilla.org/Security/Reviews/B2GUpdates) we have looked at gecko and gaia updates. We also need to review the update process for third party apps, which is the purpose of this bug.

The following components play a role in app updates:

Gaia System App
- update_manager.js: This code is responsible for starting the process of checking for updates, manages queues of updates and downloads, and provides UI via notifications to alert the user of the various stages of the updates
- updatable.js: This code represents an update - either an app or system update. It has methods like download() and applyUpdate() and provides an object to register callbacks for progress updates.
Gecko
- Webapps.jsm: WebApps registry service handles the actual downloads of manifest at the request of the Gaia system app, passing the results back to the system app via WebApps.js
- [1]: This is the child process half of the webapps service, which talks to the parent via system messages. The system app (update_manager.js) calls methods on app objects which are defined by this file.

Open Questions

What does the UI look like for app updates? Is it the same as for system updates (ie via the notification tray?) I see https://mxr.mozilla.org/mozilla-central/source/b2g/components/UpdatePrompt.js but not sure if this is only for system updates or for all updates.
Can individual apps be updated one at a time, i.e , for example, can an app request to check for an update to itself (or can the marketplace do this too?)

Inside Gecko, Apps are represented by a mozIDOMApplication object, which has a checkForUpdate() function.