Allow Unlisted apps to be accessible even when not reviewed

RESOLVED WONTFIX

Status

P4
enhancement
RESOLVED WONTFIX
4 years ago
3 years ago

People

(Reporter: Harald, Unassigned)

Tracking

({productwanted})

productwanted
Points:
---

Details

(Whiteboard: [marketplace-transition])

(Reporter)

Description

4 years ago
We have some devs that use Unlisted for developing against FxPay, as it requires to have the app submitted to Marketplace for testing. Iterations are slowed down by the review which is required even when the app is Unlisted for development reasons. Is there a way that we can have Unlisted apps available to install even if they aren't reviewed yet?
This would seem to be opening up a way to get malicious apps out in the wild.  The url to an unlisted app can be shared and published widely via various means.  Blocklisting isn't enough of a defence as its after the damage has happened and relies on the user choosing to install the fake update we would push.  

There is an argument for making apps be installable by the developer only (i.e. require login, restrict to listed owners/developers of the app) during review.  There is still a small risk of us signing something for public distribution without it being reviewed, even if its difficult for someone else to install it (would need security opinion here).

I can't recall the exact reason why FxPay requires the app to be already reviewed and installed off Marketplace (as opposed to pushed with webide or their own website), but changing that procedure so its not necessary would seem to me to be actual fix to the problem
(Reporter)

Comment 2

4 years ago
> This would seem to be opening up a way to get malicious apps out in the wild.  The url to an unlisted app can be shared and published widely via various means.  Blocklisting isn't enough of a defence as its after the damage has happened and relies on the user choosing to install the fake update we would push.  

We have the same for self-signed SSL certs, where the user can accept the cert through some tedious steps. This is not the first case where the browser allows to get to a possibly insecure resource. We could give UX a shot at it.

Another reason to have a fastpath for Unlisted apps: Privileged apps for Desktop can currently only installed through Marketplace as side-loading isn't available (bug 1157463).
(In reply to Harald Kirschner :digitarald from comment #2)
> > This would seem to be opening up a way to get malicious apps out in the wild.  The url to an unlisted app can be shared and published widely via various means.  Blocklisting isn't enough of a defence as its after the damage has happened and relies on the user choosing to install the fake update we would push.  
> 
> We have the same for self-signed SSL certs, where the user can accept the
> cert through some tedious steps. This is not the first case where the
> browser allows to get to a possibly insecure resource. We could give UX a
> shot at it.

Sure, some browser/platform UX could be added that allows unsigned privileged apps to be installed from arbitrary domains - its up to the platform UX guys to make that safe.  The experience with AMO and addons has shown that its a bad idea for us to do it on our web properties though.  But, as I mentioned, I can see a use case for developers to be able to download their own submissions, signed, for installation.
Who can answer the question about FxPay requiring the app being submitted to the Marketplace?

Can developers download their apps from their devhub pages already?
I agree about the security concerns. We don't want in-app products to be fully purchasable until the app is approved. Part of the approval process will be to vet the products (I think).

However, we can implement something where the products can be purchased only in simulation mode until the app is approved. This will allow developers to list their real products and click the buy button, trigger a simulated payment, then test their fulfillment code. 

This is the same as how fake products currently work but by using real products they will get a chance to do things like map real ID numbers to configuration which is sometimes necessary.
(In reply to Wil Clouser [:clouserw] from comment #4)
> Can developers download their apps from their devhub pages already?

They can download the unsigned zips (what they uploaded) but the signed zip for distribution isn't created until the app is approved.
That makes sense.  Hopefully comment 5 addresses this bug.
Severity: normal → enhancement
Keywords: productwanted
Priority: -- → P4
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
Whiteboard: [marketplace-transition]
You need to log in before you can comment on or make changes to this bug.