Security/Reviews/APK Factory

Item Reviewed

   

     Full Query    
   

{{#set:SecReview name=APK Factory

|SecReview target=

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

• https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively

APK Builder web service

• Two key services:
  • Given an Open Web App manifest (or packaged app), produce an Android .apk install file
  • Given a list of web app manifests and version numbers, determine which apps are out of date

Status

• Working prototype - https://github.com/jhugman/synth-apks
• Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
• rforbes diagram:
• Prereq: user has to allow install from other stores
  • ( corner case - .apks uploaded into Google Play store)
• the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
• Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
• Create Android apps for developers, so we need to create these keys and manage them.
• Dolphin does something similar, they still use their browser to run them.
• You must have Fennec installed, Android Intents are used to launch them
• We're creating private keys and storing them.
• We will tell developers that they can give us their private keys.

storage, management.

• Marketplace will have a UI for developers to update their keys.
  • High risk, obvious benefits?
• Keys are per app, not per developer key across all your apps.
  • http://developer.android.com/tools/publishing/app-signing.html
  • Debug keys - reviewer, developer keys - for ad hoc builds of APKs
• APK Signer - Use solitude again.
  • HSM can take many months...
  • It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
• Upload dev key -> V2
• Access will be locked down via the marketplace.

(IP Addresss OAuth...)

• Fennec implements mozApps.install -> talks to APK Factory in the demo
• Bundling on the fly can be a scaling detail...

??? confusion around the production plan for the service

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

• Allows apps to show up in process manager as themselves
• Allows for an install experience that users are familiar with

Any security threats already considered in the design and why?

`

Threat Brainstorming

• Are the developers uploading their private key for signing?
  • Yes, moved to v2
• Is the Android and Fx app signature checked on install / launch?
  • Yes both are checked
• HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
• otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
• Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
• An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
• (AMO may have code or procedures to help here)
• Multiple filenames in the zip file.

{{#set: SecReview feature goal=* https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively

APK Builder web service

• Two key services:
  • Given an Open Web App manifest (or packaged app), produce an Android .apk install file
  • Given a list of web app manifests and version numbers, determine which apps are out of date

Status

• Working prototype - https://github.com/jhugman/synth-apks
• Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
• rforbes diagram:
• Prereq: user has to allow install from other stores
  • ( corner case - .apks uploaded into Google Play store)
• the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
• Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
• Create Android apps for developers, so we need to create these keys and manage them.
• Dolphin does something similar, they still use their browser to run them.
• You must have Fennec installed, Android Intents are used to launch them
• We're creating private keys and storing them.
• We will tell developers that they can give us their private keys.

storage, management.

• Marketplace will have a UI for developers to update their keys.
  • High risk, obvious benefits?
• Keys are per app, not per developer key across all your apps.
  • http://developer.android.com/tools/publishing/app-signing.html
  • Debug keys - reviewer, developer keys - for ad hoc builds of APKs
• APK Signer - Use solitude again.
  • HSM can take many months...
  • It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
• Upload dev key -> V2
• Access will be locked down via the marketplace.

(IP Addresss OAuth...)

• Fennec implements mozApps.install -> talks to APK Factory in the demo
• Bundling on the fly can be a scaling detail...

??? confusion around the production plan for the service |SecReview alt solutions=' |SecReview solution chosen=* Allows apps to show up in process manager as themselves

• Allows for an install experience that users are familiar with

|SecReview threats considered=' |SecReview threat brainstorming=* Are the developers uploading their private key for signing?

• • Yes, moved to v2
• Is the Android and Fx app signature checked on install / launch?
  • Yes both are checked
• HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
• otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
• Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
• An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
• (AMO may have code or procedures to help here)
• Multiple filenames in the zip file.

}}

Action Items

{{#set:|SecReview action item status=None

|Feature version=` |SecReview action items=` }}