ubuntu-phone team mailing list archive

[Zisu Andrei <matzipan@xxxxxxxxx>]

Take this situation: on app1 user taps "log in with facebook", app1 takes
user to app2 where he logs in to facebook with his account and approves
app1, now app2 takes the user back to app1, where app1 is fed a response
from app2 with the access tokens required to access the user's data.

How would it work with the current no-app-to-app-calls model?

Zisu Andrei


On 13 August 2013 17:04, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:

> On 08/13/2013 08:33 AM, Michael Zanetti wrote:
> > On Tuesday 13 August 2013 10:01:58 Sergio Schvezov wrote:
> >> On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti <
> >>
> >> michael.zanetti@xxxxxxxxxxxxx> wrote:
> >>> Hi,
> >>>
> >>> I've just been watching this demo [1] on how to publish click packages.
> >>> Looks
> >>> very promising! However, one question that comes up here is at the
> >>> uploading
> >>> step (3:13 in the video):
> >>>
> >>> The website allows to upload a binary package and a source package.
> >>> However, I
> >>> can't see any connection between those two. How can I be sure that the
> >>> binary
> >>> click package indeed contains an unmodified version of the uploaded
> source
> >>> package? From what I can see here I could easily publish some source
> code
> >>> and
> >>> then build a malicious package containing some additional bad code.
> >>
> >> You will be confined by apparmor here and very limited in the bad things
> >> you can do.
> >
> > I don't agree here. I'm not entirely sure how AppArmor works, but I
> assume it
> > would block access to, for instance, my address book. If I still want to
> use
> > that app there must be some place where I can grant permissions to an
> app to
> > access my address book. This is where I would like to know what the
> package
> > actually does with my address book and where I would need to rely on the
> fact
> > that the binary package is indeed an *unpatched* version of the uploaded
> > source package.
> >
> Click packages will be confined by AppArmor[1] and there is a permissions
> model
> where developers declare what the click package can do[2]. Apps are quite
> confined by default by design and they are not allowed to access other
> app's
> data, among other things. This is to prevent malicious apps from doing
> harm to
> the system or obtaining the user's data. Application developers will need
> to
> used published APIs to access things like locations, online accounts, the
> addressbook, etc and these APIs will be supported in the click manifest.
> Access
> to data like the address book will be limited and handled via an out of
> process
> helper which may also help mediate the access (ie, provide a contextual
> runtime
> prompt). That's the good news-- the bad news is that not all of these APIs
> are
> implemented today, but they are being worked on. I'll let others comment on
> their status.
>
> More specifically to your question-- click packages and the app store will
> support binary only uploads of packages. With this in mind, it isn't
> particularly useful to have a build server from a security point of view
> because
> a malicious app author would simply not upload the source to avoid
> detection. A
> build could be useful for other reasons-- such as to make sure that the
> app is
> built in a clean environment, etc, but I'll let others comment on that too.
>
> [1]
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement
> [2]
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
> --
> Jamie Strandboge                 http://www.ubuntu.com/
>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help   : https://help.launchpad.net/ListHelp
>
>