Closed Bug 1093308 Opened 10 years ago Closed 10 years ago

You can download the code for the package apps

Categories

(Marketplace Graveyard :: API, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: moreno.rdr, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141027150301 Steps to reproduce: 1. Find the app you want to download 2. From your URL extracts the last part, the identifier of the app 3. Copy your ID and replace it in is URL: https://marketplace.firefox.com/api/v1/apps/app/{APP-ID} 4. The JSON that returns API seek the term "zip" and here is the URL to the zip file containing the entire app. EXAMPLE: 1. I found this app (It's mine): https://marketplace.firefox.com/app/paseapp 2. I copy the identifier of that app: paseapp 3. I have generated the URL already with the identifier: https://marketplace.firefox.com/api/v1/apps/app/paseapp/ 4. I found the package url (https://marketplace.firefox.com/downloads/file/230068/paseapp-0.5.5.zip) 5. I downloaded the app may have access to your code and/or art Actual results: I can download the zip file containing the entire app, and can access their code, art (images, sound, video), etc. I know that the web is open by nature, but now that Mozilla has allies strategic as it is Disney, EA, and other large enterprises, many of these companies would not be at all happy to know that anyone tien access code and/or art . I think in this sense we must take some care, as the press lately is also very attentive to any "failure" of security and sometimes exaggerate things just for sensationalism. Expected results: I think the Marketplace API is pretty good but the URL that contains the ZIP with all the app should not be accessible for everyone, only for people in the Marketplace and the company and its developers.
Summary: You can download the code for the app → You can download the code for the package apps
This is by design.
Group: client-services-security
how would one install the app if the zip file wasn't available for download?
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
(In reply to Andrew Williamson [:eviljeff] from comment #2) > how would one install the app if the zip file wasn't available for download? It definitely has to be hosted somewhere and should be able to be accessible for download ... But that URL must be accessible by all? My big problem with its current operation is that I could easily download the zip with the app to steal intellectual property, including Mozilla's partners, which on some occasions it could be misconstrued or cause conflicts with partners.
Free apps can be installed without logging into Marketplace, so yes, it does need to be accessible to all. At the point of installation the app must be download (if its packaged) - at that point its trivial to copy the zip from the folder (for Desktop), or used ADB to pull the zip from the device (for Android/FxOS). Such is the design of webapps.
You need to log in before you can comment on or make changes to this bug.