When remote debugging is enabled, adb and the remote debugging service are available. ADB runs will a lower privileged user on production devices, but it does allow the user to use 'adb forward' to connect to the remote debugger. To limit the risk, FxOS uses only limited debug actors on gonk, to minimise the attack surface. AFAIK, this means: - no web console - no debugger - provides an interface to install apps The point of this review is to establish, document and review exactly which debug actors are available on b2g, and exactly what functionality is exposed. The key threat here is a user who has left adb enabled or left their device unlocked. EG if its possible to access the disk using remote debugger, could possibly steal stored network credentials. Useful links to get started: bug 828863 bug 799151 http://mxr.mozilla.org/mozilla-b2g18/source/b2g/chrome/content/shell.js#951 http://mxr.mozilla.org/mozilla-b2g18/source/toolkit/devtools/debugger/server/dbg-server.js#186 http://mxr.mozilla.org/mozilla-b2g18/source/b2g/chrome/content/dbg-webapps-actors.js#119
The profiler actor is also enabled and provides main process-only profiling AFAIK. This review is only concerned with the current state of affairs that will presumably ship with FxOS 1.0.1 and 1.1, right? The forthcoming support for content process debugging (bug 797627) that will allow us to fully enable remote debugging in production devices is out of scope I presume?
Yes, I was mainly concerned with 1.0.1 and 1.1 but I wasn't aware of 797627. The context of this review was trying to understand the threat profile remote debugging presents (and will present in the future). With 797627 is it expected that you will be able to connect to any content process (and therefore access any sensitive data that app might have stored)? Not saying it should or shouldn't have this access, really I just want to get a complete an accurate understanding.
The plan as I remember it (I can't find the bug right now) was that after bug 797627 debugging will only target content processes on production devices, and every process on desktop builds. This way we would get both flexibility for Gaia developers and risk mitigation for webapp developers and everyday users.