ubuntu-phone team mailing list archive

[David Barth <david.barth@xxxxxxxxxxxxx>]

On Sat, Apr 11, 2015 at 12:15 AM, Alan Bell <alanbell@xxxxxxxxxx> wrote:

> Hi all,
>
> there is a somewhat sparsely documented feature of webapps that allow you
> to specify --webappModelSearchPath=. as a parameter of webapp-container in
> the .desktop file and have a file called webapp-properties.json in the
> project. This can specify a script to be loaded into the webapp, which you
> can also put in the package or possibly on a remote server, an example of
> this can be found here http://bazaar.launchpad.net/~sil/+junk/seshat/files
>
> Now this got me thinking about all the awesome stuff I could do with this,
> I could write a webapp that wraps my online banking and paypal and then it
> scrapes the statements and offers to reconcile stuff against my Odoo server
> or something. Awesome. Someone else could do this too, and write a webapp
> that wraps a bank and does evil stuff, this would then instantly pass all
> the automated tests and be published in the store ready for people to start
> using. This is a bit of a worry. I did install the HSBC app when I got the
> phone, but I didn't run it until today when I figured out how to read the
> source (it is in /opt/click.ubuntu.com/hsbc.krysztau) however I fear that
> I am a bit of an outlier and most people will run a banking application
> without first reading the packaging source and checking for evil stuff.
>
> Perhaps it would be an idea to have a manual review process for webapps
> that insert stuff where the developer can't prove that they control the
> website in question.


Yep, definitely a good idea. Thanks Alan!  We have a  set of checks for
this script injection kit, from its desktop beginnings.

However, that should mosty flag common attack vectors. Checking the
identity of the author / published of an app still is a key factor in
deciding whether to trust it with your online credentials.

David