← Back to team overview

ubuntu-phone team mailing list archive

Re: webapps and script injection

 

I'm not sure user descriptions will be much use - for developers and/or tech saavy people, certainly - but for everyone else? Simply look at the android store to see how happily people are to install apps that ask for dodgy permissions. For what it's worth, I think this should be fixed developer side before it hits the streets.

Another question re security for webapps - url-dispatcher. Whilst I'm loving using this, it's also clear how easy it is to create a webapp that redirects traffic from other places, such as scopes. While I'm making a point of listing when I use this (and telling users not to install the app if they want to view said content in their browser), there's currently no requirement to do this. Sure, users can simply uninstall an app if it's giving them problems, but it seems that it would also be easy to create a malicious app that 'redirects' lots of urls, and potentially injects scripts into them from there. Even without script injection this could be annoying...

Are there any processes in place to stop this from happening?

Cheers,

Mitchell

On 14/04/15 04:06, Alexandre Abreu wrote:
Hi Alan,

as David just said, we indeed have short term plans to move in that directions. At the moment, any webapp is "shielded" by 3 layers of security measures:

- the script are not injected in the same js as world as the webpage's (only share the DOM), - they are subject to the same CORS, etc. security rules provided by the webview context,
- the clicks are shielded at the system level by apparmor,

we did internally setup specific processes and documents to review to webapps that do use scripts and have automated scripts to review them and catch as many potential harmful situations as possible, those are in the process of being deployed. We did also discussed (and this is the direction of how things are going to make those webapps automatically go through a manual review and flagged as such).

We also discussed potential updates to the click description/user warnings etc. to make sure the user is well aware of those upon installation,

I hope it clarifies the roadmap for those :)


On Mon, Apr 13, 2015 at 11:40 AM, David Barth <david.barth@xxxxxxxxxxxxx <mailto:david.barth@xxxxxxxxxxxxx>> wrote:

    On Sat, Apr 11, 2015 at 12:15 AM, Alan Bell <alanbell@xxxxxxxxxx
    <mailto:alanbell@xxxxxxxxxx>> wrote:

        Hi all,

        there is a somewhat sparsely documented feature of webapps
        that allow you to specify --webappModelSearchPath=. as a
        parameter of webapp-container in the .desktop file and have a
        file called webapp-properties.json in the project. This can
        specify a script to be loaded into the webapp, which you can
        also put in the package or possibly on a remote server, an
        example of this can be found here
        http://bazaar.launchpad.net/~sil/+junk/seshat/files
        <http://bazaar.launchpad.net/%7Esil/+junk/seshat/files>

        Now this got me thinking about all the awesome stuff I could
        do with this, I could write a webapp that wraps my online
        banking and paypal and then it scrapes the statements and
        offers to reconcile stuff against my Odoo server or something.
        Awesome. Someone else could do this too, and write a webapp
        that wraps a bank and does evil stuff, this would then
        instantly pass all the automated tests and be published in the
        store ready for people to start using. This is a bit of a
        worry. I did install the HSBC app when I got the phone, but I
        didn't run it until today when I figured out how to read the
        source (it is in /opt/click.ubuntu.com/hsbc.krysztau
        <http://click.ubuntu.com/hsbc.krysztau>) however I fear that I
        am a bit of an outlier and most people will run a banking
        application without first reading the packaging source and
        checking for evil stuff.

        Perhaps it would be an idea to have a manual review process
        for webapps that insert stuff where the developer can't prove
        that they control the website in question.


    Yep, definitely a good idea. Thanks Alan!  We have a  set of
    checks for this script injection kit, from its desktop beginnings.

    However, that should mosty flag common attack vectors. Checking
    the identity of the author / published of an app still is a key
    factor in deciding whether to trust it with your online credentials.

    David

    --
    Mailing list: https://launchpad.net/~ubuntu-phone
    <https://launchpad.net/%7Eubuntu-phone>
    Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
    <mailto:ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
    Unsubscribe : https://launchpad.net/~ubuntu-phone
    <https://launchpad.net/%7Eubuntu-phone>
    More help   : https://help.launchpad.net/ListHelp







Follow ups

References