← Back to team overview

ubuntu-phone team mailing list archive

Re: Click packages and source code

 

On 08/13/2013 11:23 AM, Zisu Andrei wrote:
> Take this situation: on app1 user taps "log in with facebook", app1 takes user
> to app2 where he logs in to facebook with his account and approves app1, now
> app2 takes the user back to app1, where app1 is fed a response from app2 with
> the access tokens required to access the user's data. 
> 
> How would it work with the current no-app-to-app-calls model?
> 

app1 can't "take the user to app2". If app1 wants to connect to facebook, it
must specify the "accounts" policy group in the manifest and use online accounts
to get the tokens (and when this online accounts work lands (soon), the user
will be prompted on if app1 can connect to facebook (after which, online
accounts will cache the result)).

> Zisu Andrei
> 
> 
> On 13 August 2013 17:04, Jamie Strandboge <jamie@xxxxxxxxxxxxx
> <mailto:jamie@xxxxxxxxxxxxx>> wrote:
> 
>     On 08/13/2013 08:33 AM, Michael Zanetti wrote:
>     > On Tuesday 13 August 2013 10:01:58 Sergio Schvezov wrote:
>     >> On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti <
>     >>
>     >> michael.zanetti@xxxxxxxxxxxxx <mailto:michael.zanetti@xxxxxxxxxxxxx>> wrote:
>     >>> Hi,
>     >>>
>     >>> I've just been watching this demo [1] on how to publish click packages.
>     >>> Looks
>     >>> very promising! However, one question that comes up here is at the
>     >>> uploading
>     >>> step (3:13 in the video):
>     >>>
>     >>> The website allows to upload a binary package and a source package.
>     >>> However, I
>     >>> can't see any connection between those two. How can I be sure that the
>     >>> binary
>     >>> click package indeed contains an unmodified version of the uploaded source
>     >>> package? From what I can see here I could easily publish some source code
>     >>> and
>     >>> then build a malicious package containing some additional bad code.
>     >>
>     >> You will be confined by apparmor here and very limited in the bad things
>     >> you can do.
>     >
>     > I don't agree here. I'm not entirely sure how AppArmor works, but I assume it
>     > would block access to, for instance, my address book. If I still want to use
>     > that app there must be some place where I can grant permissions to an app to
>     > access my address book. This is where I would like to know what the package
>     > actually does with my address book and where I would need to rely on the fact
>     > that the binary package is indeed an *unpatched* version of the uploaded
>     > source package.
>     >
>     Click packages will be confined by AppArmor[1] and there is a permissions model
>     where developers declare what the click package can do[2]. Apps are quite
>     confined by default by design and they are not allowed to access other app's
>     data, among other things. This is to prevent malicious apps from doing harm to
>     the system or obtaining the user's data. Application developers will need to
>     used published APIs to access things like locations, online accounts, the
>     addressbook, etc and these APIs will be supported in the click manifest. Access
>     to data like the address book will be limited and handled via an out of process
>     helper which may also help mediate the access (ie, provide a contextual runtime
>     prompt). That's the good news-- the bad news is that not all of these APIs are
>     implemented today, but they are being worked on. I'll let others comment on
>     their status.
> 
>     More specifically to your question-- click packages and the app store will
>     support binary only uploads of packages. With this in mind, it isn't
>     particularly useful to have a build server from a security point of view because
>     a malicious app author would simply not upload the source to avoid detection. A
>     build could be useful for other reasons-- such as to make sure that the app is
>     built in a clean environment, etc, but I'll let others comment on that too.
> 
>     [1]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement
>     [2]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
>     --
>     Jamie Strandboge                 http://www.ubuntu.com/
> 
> 
>     --
>     Mailing list: https://launchpad.net/~ubuntu-phone
>     Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
>     <mailto:ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
>     Unsubscribe : https://launchpad.net/~ubuntu-phone
>     More help   : https://help.launchpad.net/ListHelp
> 
> 
> 
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature


Follow ups

References