864849 - [Security Review] B2G Gaia - Third Party Apps

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance: Review Request, task, P2)

Description

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Review third party apps to be delivered on the v1.0.1 phone - Twitter & Facebook apps. (and any others)

Comment 1

[Daniel Veditz [:dveditz]]

We need to know what they are, don't we? Maybe even file one bug per app (as we know about them) and use this as a tracking bug?

Comment 2

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Where is the score matrix for the score in the whiteboard?

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

I think the list of apps is:

Accuweather - Hosted
Nokia Maps - Packaged
Facebook - Hosted
Twitter - Hosted
Youtube - Hosted
Wikipedia - Hosted
Cut the Rope - hosted
Distant Orbit - Hosted
Zombie Lines - Hosted
Rebel Rescue - Hosted
Sand Trap - Hosted
Entanglement - Hosted
Calculator - Packaged
MiBoa - Hosted 
Audioteka - Hosted

So only nokia maps and calculator are packaged. I would say that probably only Nokia Maps needs review here as the rest are hosted websites (ie can & will change at any time)

Comment 4

[Paul Theriault [:pauljt] (no longer reading bugmail)]

So I have had a quick skim through the nokia app. The nokia app seems to use some kind of JS framework, and the code in mozilla central is minified, so its pretty impossible to review. A few notes though:

- The app only has requests the geolocation permission
- it uses MozActivity to initiate dial activities (i guess to call numbers from links)
- It has an escapeHTML function which is regex based (looks ok, but encoding may be a problem)
- stores data clients side using localstorage and indexed. Hard to tell exactly what though.

Ultimately it is a regular web app, (ie not privileged) so that really is the main mitigation for this app.

Comment 5

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Confirmed app list on device. Nothing further to do here.