Closed Bug 872053 Opened 11 years ago Closed 6 years ago

Restrict sideloading of apps in FxOS release versions to prevent malware spread

Categories

(Firefox OS Graveyard :: Gaia, defect)

Product:
Firefox OS Graveyard
Component:
Gaia
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: cr, Unassigned)

Details

During threat modelling different install and update paths for Firefox OS apps it became apparent that simple point-and-click sideloading of unreviewed privileged code via the remote debugging actor poses a major threat to our app ecosystem security that is largely based on enforcing review of security-critical code.

This discussion started to spin https://bugzilla.mozilla.org/show_bug.cgi?id=863669 off topic, so it is continued here:

(In reply to Paul Theriault [:pauljt] from comment #15)

> Re: side-loaded apps, I think we should have a warning about sideloading,
> but beyond that I agree with comment 10 - not our problem, but if we can
> help the user remove a bad app then we should.

I don't follow the "not our problem" argument. Creating opportunity that other use cases will depend upon is very much our and ultimately the users' problem. It is not hard to imagine "sideload markets" that promise full control over phones when all they require is merely the dismissal of a warning popup that nobody takes serious or even reads.

For the same reason we use a whitelisting approach for the packaged app API, because after-the-fact blacklisting will break things. To me, this "not our problem" is much more a problem of weighing the benefits against the threats, and I think that we only need to glimpse at the state of Android and the effectiveness of AV technology to realize that we are paving the way to a battlefield that we, too, cannot win.

With the bright decision to channel critical code through a Marketplace review process, we have already decided for a restriction in favor of security, and because security is generally not well-understood, we will be facing tremendous pressure to release that restriction in favor of versatility.

While in the sense of openness it would be very wrong to roadblock the sideloading option altogether, I think that we need to restrict its enormous threat potential to align with the original goals. The idea is to raise the bar for enabling its full potential above "Whoops, how did the Ask toolbar get here again?!" level, and there are several options from having to go through some nasty, unscriptable steps on the phone all down to having to reflash a FxOS developer release. I'm afraid that "Just click OK" just won't cut it.
Summary: Restrict sideloading of apps in FxOS release version to prevent malware spread → Restrict sideloading of apps in FxOS release versions to prevent malware spread
Keep in mind that sideloading is needed for *developers* to let them test their privileged apps on the phone. Without any better mechanism than what we have now I don't think we should make any changes to the current flow.
Another thing to keep in mind is that we want users to be in control of their own device.

I.e. one of the core values for mozilla is that users should be in charge of their browser/device/data. So while I agree that we need to ensure that users don't get tricked into installing malware this way, it's also important that users can override whatever protections we put in place and install whatever they want.

This also serves as an important method for keeping ourselves honest. By having side-loading as an escape valve it means that we're giving ourselves an incentive to not prevent certain types of apps into the marketplace. For example, we couldn't prevent users from getting a competing marketplace since they could just side-load them and forcing people to side-load things is bad for security, so we'd have the incentive to accept the marketplace into our marketplace.

So rather than making side-loading less powerful, I'd rather make the UI more clear about what the risks involved in side-loading. I'd also be ok with making it harder for users to enable side-loading as long as that doesn't impact the developer flow once it's turned on.

At one point we debated forcing users to install a "enable-side-loading app" from the marketplace. I.e. users that wanted to do side-loading, including developers, would have to go to the marketplace and install an app. Then use that app to turn on side-loading.
Side loading should exist for developers no doubt. How else would they get apps on their devices? Ideally we also skip all the signing voodoo that Apple and, to a lesser extent, Google require. It sits in the way of being productive and the ability to easily work together with people.

For ordinary users I strongly believe that an open platform should allow optional side loading of unsigned privileged applications. Like Android does by simply flipping a checkbox and agreeing to a big fat warning about being on your own and using common sense. Without side loading our platform is not open and we would live in a walled garden. It should ultimately be a user choice. With a sane default.


On a technical level I think we should separate Side Loading from Debugging. When users enable Side Loading they likely do not need ADB and remote debugging features. They probably won't even know what it means. Worse, those debugging features actually make your device less secure and open up possibilities for attacks and unwanted inspection.

How difficult would be be to have two checkboxes? "Install apps from alternative sources" and "Enable Remote Debugging".

I understand the two features are tightly coupled now but I think it would be worth investigating how we can split them up.
(In reply to Jonas Sicking (:sicking) from comment #2)
> At one point we debated forcing users to install a "enable-side-loading app"
> from the marketplace. I.e. users that wanted to do side-loading, including
> developers, would have to go to the marketplace and install an app. Then use
> that app to turn on side-loading.

Oh yes, I forgot about that, but I like this option a lot.

(In reply to Stefan Arentz [:st3fan] from comment #3)

> How difficult would be be to have two checkboxes? "Install apps from
> alternative sources" and "Enable Remote Debugging".
> 
> I understand the two features are tightly coupled now but I think it would
> be worth investigating how we can split them up.

They both need to have adb started, but we can decouple the actors plugged into the remote debuggin protocol easily.
(In reply to Stefan Arentz [:st3fan] from comment #3)
> Side loading should exist for developers no doubt. How else would they get
> apps on their devices? Ideally we also skip all the signing voodoo that
> Apple and, to a lesser extent, Google require. It sits in the way of being
> productive and the ability to easily work together with people.

That is already the case. No signing needed.

> How difficult would be be to have two checkboxes? "Install apps from
> alternative sources" and "Enable Remote Debugging".

This seems off-topic to this bug. Please file a separate one though. I agree that the current setup has potential to expose users to more risk than needed.
Component: Builds → Gaia
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.