ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #12085
Re: webapps and script injection
Hi Alan,
as David just said, we indeed have short term plans to move in that
directions. At the moment, any webapp is "shielded" by 3 layers of security
measures:
- the script are not injected in the same js as world as the webpage's
(only share the DOM),
- they are subject to the same CORS, etc. security rules provided by the
webview context,
- the clicks are shielded at the system level by apparmor,
we did internally setup specific processes and documents to review to
webapps that do use scripts and have automated scripts to review them and
catch as
many potential harmful situations as possible, those are in the process of
being deployed. We did also discussed (and this is the direction of how
things are going
to make those webapps automatically go through a manual review and flagged
as such).
We also discussed potential updates to the click description/user warnings
etc. to make sure the user is well aware of those upon installation,
I hope it clarifies the roadmap for those :)
On Mon, Apr 13, 2015 at 11:40 AM, David Barth <david.barth@xxxxxxxxxxxxx>
wrote:
> On Sat, Apr 11, 2015 at 12:15 AM, Alan Bell <alanbell@xxxxxxxxxx> wrote:
>
>> Hi all,
>>
>> there is a somewhat sparsely documented feature of webapps that allow you
>> to specify --webappModelSearchPath=. as a parameter of webapp-container in
>> the .desktop file and have a file called webapp-properties.json in the
>> project. This can specify a script to be loaded into the webapp, which you
>> can also put in the package or possibly on a remote server, an example of
>> this can be found here http://bazaar.launchpad.net/~
>> sil/+junk/seshat/files
>>
>> Now this got me thinking about all the awesome stuff I could do with
>> this, I could write a webapp that wraps my online banking and paypal and
>> then it scrapes the statements and offers to reconcile stuff against my
>> Odoo server or something. Awesome. Someone else could do this too, and
>> write a webapp that wraps a bank and does evil stuff, this would then
>> instantly pass all the automated tests and be published in the store ready
>> for people to start using. This is a bit of a worry. I did install the HSBC
>> app when I got the phone, but I didn't run it until today when I figured
>> out how to read the source (it is in /opt/click.ubuntu.com/hsbc.krysztau)
>> however I fear that I am a bit of an outlier and most people will run a
>> banking application without first reading the packaging source and checking
>> for evil stuff.
>>
>> Perhaps it would be an idea to have a manual review process for webapps
>> that insert stuff where the developer can't prove that they control the
>> website in question.
>
>
> Yep, definitely a good idea. Thanks Alan! We have a set of checks for
> this script injection kit, from its desktop beginnings.
>
> However, that should mosty flag common attack vectors. Checking the
> identity of the author / published of an app still is a key factor in
> deciding whether to trust it with your online credentials.
>
> David
>
> --
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References