Apps with deviceStorage permission could add fake certificates

NEW
Unassigned

Status

Firefox OS
Gaia::Settings
4 years ago
2 years ago

People

(Reporter: pauljt, Unassigned)

Tracking

({sec-low})

unspecified
x86
Mac OS X
sec-low
Dependency tree / graph

Firefox Tracking Flags

(tracking-b2g:backlog)

Details

(Reporter)

Description

4 years ago
Currently the code in 926334 introduces functionality to import certificates for the purposes of authenticating servers involved in WiFi access. The process is as follows:

1. the user copies a file with a specific extension _anywhere_ on the sdcard
2. the user navigates to the settings app -> wifi -> import certificates
3. the user is shown a list of all certificates on the sdcard (cer,crt, der,pem)

One side-effect of this, is that any app that has access to any device-storage permission (apps,crashes,pictures,music,videos,sdcard) can create a certificate for the user to import. 

I don't think this is a super high risk, but it also seems like the sort of thing that could lead to issues down the track. 

I think we should at least require that certificates live in a specific location of the sdcard (sdcard/certificates/) or possibly even create a new device-storage API just for certificates (seems a bit overkill)?

I also worry that future APIs and feature will allow writing data to the sdcard that may further interfere with this feature. "Downloads" for example? Or what about email attachments?
(Reporter)

Comment 1

4 years ago
Of course, downloading and then installing a certificate is also probably a valid use case!
Yes, I think it would be a small risk issue in the use case. In addition to the use case, It will cost a lot of time for scanning all SD card. If there are a lot of media files in SD card, that would be more waiting time for a user.

(In reply to Paul Theriault [:pauljt] from comment #0)
> I think we should at least require that certificates live in a specific
> location of the sdcard (sdcard/certificates/) or possibly even create a new
> device-storage API just for certificates (seems a bit overkill)?

I would like to vote the option to create a specific location of the sdcard/certificates. Maybe the folder name is sufficient guiding a user to put certificate file there.
(Reporter)

Updated

4 years ago
No longer blocks: 945094
Depends on: 945094

Comment 3

2 years ago
ni eden to check if its been addressed
tracking-b2g: --- → backlog
Flags: needinfo?(echuang)

(In reply to Paul Theriault [:pauljt] from comment #0)
> Currently the code in 926334 introduces functionality to import certificates
> for the purposes of authenticating servers involved in WiFi access. The
> process is as follows:
> 
> 1. the user copies a file with a specific extension _anywhere_ on the sdcard
> 2. the user navigates to the settings app -> wifi -> import certificates
> 3. the user is shown a list of all certificates on the sdcard (cer,crt,
> der,pem)
> 
> One side-effect of this, is that any app that has access to any
> device-storage permission (apps,crashes,pictures,music,videos,sdcard) can
> create a certificate for the user to import. 

According to currently design, the answer is yes.

> I don't think this is a super high risk, but it also seems like the sort of
> thing that could lead to issues down the track. 
> 
> I think we should at least require that certificates live in a specific
> location of the sdcard (sdcard/certificates/) or possibly even create a new
> device-storage API just for certificates (seems a bit overkill)?

Specific location is a good idea. Just like picture and video, we probably need new permission device-storage-certificate are also created for certificate file accessing.
But even new location and new permission are created, apps has access on other permission probably still can write a certificate for user import. New location and permission might be just a guide for developers to use the permission properly.  

> I also worry that future APIs and feature will allow writing data to the
> sdcard that may further interfere with this feature. "Downloads" for
> example? Or what about email attachments?
Flags: needinfo?(echuang)
You need to log in before you can comment on or make changes to this bug.