Figure out how to allow sideloaded certified app debugging

RESOLVED INVALID

Status

P1
normal
RESOLVED INVALID
5 years ago
6 months ago

People

(Reporter: ochameau, Unassigned)

Tracking

unspecified
Firefox 34

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
Up to 1.1, included, certified app sideloading was forbidden.
Now, with bug 927108 being fixed, we can install certified apps but still can't debug stock certified nor the one we install.

We need to find ways to allow, at least debugging of the one installed via the devtools, but also figure out how to easily enable gaia debugging.

One way to fix that would be to flag apps being installed after the debugging mode is enabled and allow debugging of any app being installed when it is on.
+1, assuming we figure out how to make the enabling of this explicit. I like how android does this, having to do a certain obscure sequence of actions to enable developer features.
(In reply to Jeff Griffiths (:canuckistani) from comment #1)
> +1, assuming we figure out how to make the enabling of this explicit. I like
> how android does this, having to do a certain obscure sequence of actions to
> enable developer features.

This bug is about certified apps only. If a user action on the device can enable certified apps debugging, that'd be a security issue.
I must have missed something here.

If we can install certified apps… how is forbidding certified apps debugging still useful?
(In reply to Paul Rouget [:paul] from comment #3)
> I must have missed something here.
> 
> If we can install certified apps… how is forbidding certified apps debugging
> still useful?

So if I understand correcty, certified apps can't access data from other certified apps, so if we can identify which apps have been installed from the app manager, we can allow debugging for these apps.
(Reporter)

Comment 5

5 years ago
(In reply to Paul Rouget [:paul] from comment #4)
> (In reply to Paul Rouget [:paul] from comment #3)
> > I must have missed something here.
> > 
> > If we can install certified apps… how is forbidding certified apps debugging
> > still useful?
> 
> So if I understand correcty, certified apps can't access data from other
> certified apps, so if we can identify which apps have been installed from
> the app manager, we can allow debugging for these apps.

Yes, it is being considered safe. By default, even with the certified mozapp API, I don't think you can install an evil app for a arbitrary origin in order to steal one particular app data.
But TBH I wouldn't be surprised we find tricks to somehow do it... I haven't tried to see if we could do that with the `origin` manifest property or with a man in the middle server faking a particular origin.

Updated

5 years ago
Priority: -- → P1
Blocks: 893669
When I last checked this week you could use the developer tools against the Gaia certified apps already installed in the simulator. Does that not work any more?
(Reporter)

Comment 7

5 years ago
Ben, this bug is only for production devices. Gaia developers just have to set DEVICE_DEBUG=1 (in userconfig or when calling gaia's make) in order to be able to debug certified apps.
Assignee: nobody → paul
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → Firefox 34
Duplicate of bug: 1040779
Ryan, this is about certified app installed by the user.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: Figure out how to allow/enable certified app debugging → Figure out how to allow sideloaded certified app debugging

Updated

4 years ago
Assignee: paul → nobody
No more apps.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago2 years ago
Resolution: --- → INVALID

Updated

6 months ago
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.