Closed Bug 850334 Opened 12 years ago Closed 10 years ago

Privileged app can't be installed for testing without Gaia rebuild

Categories

(Core Graveyard :: DOM: Apps, defect)

Product:
Core Graveyard
Component:
DOM: Apps
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: tofumatt, Unassigned)

Details

(Whiteboard: [INVALID?])

Howdy, From what I can tell, installing a priviledged, packaged app doesn't work without adding it to the Gaia apps directory and rebuilding gaia. There should be some kind of developer options flag that lets developers install priviledged apps from places that aren't marketplace or at least from a whitelist of domains. In addition, this would (assuming the flag allowed installs from anywhere) allow priviledged apps that we don't let on the marketplace (eg porn, etc.) to install on a user's phone. If it's possible to do this without rebuilding Gaia we're totally lacking documentation on it, at least on the relevant MDN pages. If that's the case I'll file a separate bug.
Component: General → DOM: Apps
Product: Boot2Gecko → Core
Version: unspecified → Trunk
I think this is invalid. We originally had such a developer options flag, but security squashed this idea into the ground for the security risks it poses.
Flags: needinfo?(amac)
Whiteboard: [INVALID?]
Antonio - Do you agree or disagree on my comment 1 claim?
For what it's worth, this requires developers to reflash their phone or at least install an entirely new Gaia on it to test their priviledged apps. Every. Time. It also renders the Firefox Simulator add-on worthless for packaged apps. iOS and Android allow this (Android allows app installs from anywhere even for NON-development purposes). I think the losses for productivity here are huge; personally, it makes me not want to develop packaged apps. And I work here. :-(
That's just not true. You can push privileged and certified apps to your phone, using the remote debugging protocol. I have an add-on that let you do that at https://github.com/fabricedesre/b2gremote, and Myk also added this feature to the latest version of the Simulator add-on.
Well that's awesome then. I can't find any of this documentation on MDN, so my bad. Adding my app with a privileged manifest to the Simulator didn't register it as priviledged, so I seem to be confused if there are extra steps or not.
FWIW, effectively the proposed setting used to exist and was removed because it was a big, glaring security hole. I was looking up Fabrice's add-on URL but I see he did beat me to it :). Also you don't have to install an entirely new Gaia every time to test your apps. You have to do that the first time you add an app (if you're not using Fabrice's add-on, or if you haven't set up your own 'store' to install your apps remotely). After that you can just push your app, except if you have changed the manifest. In that case you have to force the phone to re-create the permissions database, re-register the messages, and so on. I have a small shell script that fools the phone into believing it's on the first run after a reset and recreates the DB. I can put it somewhere if there's interest.
Flags: needinfo?(amac)
On the note of it being a security hole: if the user has to manually enable it, I don't see how it's any more of a security hole than Android's "install apps from anywhere" switch, which is needed to install Nightly Firefox for Android. We effectively limit packaged apps to the Marketplace for regular users without said flag, no? That seems very, well, iOS-like.
(In reply to Matthew Riley MacPherson [:tofumatt] from comment #7) > On the note of it being a security hole: if the user has to manually enable > it, I don't see how it's any more of a security hole than Android's "install > apps from anywhere" switch, which is needed to install Nightly Firefox for > Android. It was a security hole because it was too broad. It also deactivated a lot of permission checks. It made regular browsing the web dangerous with that mode active. > > We effectively limit packaged apps to the Marketplace for regular users > without said flag, no? That seems very, well, iOS-like. No, we limit privileged apps to the Marketplace. Regular (as in not needing privileged permissions) apps can be installed from any web page.
Yeah, sorry, latter point was a typo; I meant to say "limit privileged apps to the Marketplace". Effectively, we're doing what iOS does then: allowing web apps to be installed from the home screen, and anything else to have to go through our review process. If we don't let something that needs more permissions than pretty much what a web page gets (ie no systemXHR, which is a big one for any "app") on the Marketplace, users don't get the chance to install it. I don't get how regular browsing is at risk when users are allowed to install apps from anywhere. There's still a permissions dialog/an install dialog. It's not like servers can just install an app from anywhere without explicit user permission. This all just seems needlessly locked down. Even once a priviledged app is installed, it's sandboxed and has a pretty restrictive CSP. If the security model of apps is good and things like Contacts and Calendar access require user permission/notification before app installation, this doesn't SEEM like it should be an issue. I feel like I'm missing something here.
(In reply to Matthew Riley MacPherson [:tofumatt] from comment #9) > Yeah, sorry, latter point was a typo; I meant to say "limit privileged apps > to the Marketplace". It's very easy to allow other stores to also provide privileged apps. > Effectively, we're doing what iOS does then: allowing web apps to be > installed from the home screen, and anything else to have to go through our > review process. If we don't let something that needs more permissions than > pretty much what a web page gets (ie no systemXHR, which is a big one for > any "app") on the Marketplace, users don't get the chance to install it. I don't understand at all what you're saying. Users/dev can sideload apps with any permission. When an app comes from a store, it can be privileged if the store is vetted. That seems a reasonnable way to both protect the vast majority of non technical users while letting hackers hack. > I don't get how regular browsing is at risk when users are allowed to > install apps from anywhere. There's still a permissions dialog/an install > dialog. It's not like servers can just install an app from anywhere without > explicit user permission. There is no permission dialog, only an install confirmation dialog. > This all just seems needlessly locked down. Even once a priviledged app is > installed, it's sandboxed and has a pretty restrictive CSP. If the security > model of apps is good and things like Contacts and Calendar access require > user permission/notification before app installation, this doesn't SEEM like > it should be an issue. Again, we don't want the ask the user to make this kind of decision, this is a broken model. People just end up letting the app use whatever it asks, like on android. You should read https://wiki.mozilla.org/Apps/SecurityDetails to get a more detailed description of the security model, and then come voice your opinion in dev-b2g.
(In reply to Matthew Riley MacPherson [:tofumatt] from comment #5) > Well that's awesome then. I can't find any of this documentation on MDN, so > my bad. > > Adding my app with a privileged manifest to the Simulator didn't register it > as priviledged, so I seem to be confused if there are extra steps or not. It should do so. Perhaps there's a bug. Can you point me at your app so I can investigate further? Also, you might want to try on the latest preview build, in case there's a bug we fixed recently that addresses your problem: Windows: https://ftp.mozilla.org/pub/mozilla.org/labs/r2d2b2g/r2d2b2g-windows.xpi Mac: https://ftp.mozilla.org/pub/mozilla.org/labs/r2d2b2g/r2d2b2g-mac.xpi Linux: https://ftp.mozilla.org/pub/mozilla.org/labs/r2d2b2g/r2d2b2g-linux.xpi
> > It's very easy to allow other stores to also provide privileged apps. > Could you tell me the way to sign a privileged apps? I cann't find it in MDN. Thank you very much in advance!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.