Hi Alan,
as David just said, we indeed have short term plans to move in that
directions. At the moment, any webapp is "shielded" by 3 layers of
security measures:
- the script are not injected in the same js as world as the webpage's
(only share the DOM),
- they are subject to the same CORS, etc. security rules provided by
the webview context,
- the clicks are shielded at the system level by apparmor,
we did internally setup specific processes and documents to review to
webapps that do use scripts and have automated scripts to review them
and catch as
many potential harmful situations as possible, those are in the
process of being deployed. We did also discussed (and this is the
direction of how things are going
to make those webapps automatically go through a manual review and
flagged as such).
We also discussed potential updates to the click description/user
warnings etc. to make sure the user is well aware of those upon
installation,
I hope it clarifies the roadmap for those :)
On Mon, Apr 13, 2015 at 11:40 AM, David Barth
<david.barth@xxxxxxxxxxxxx <mailto:david.barth@xxxxxxxxxxxxx>> wrote:
On Sat, Apr 11, 2015 at 12:15 AM, Alan Bell <alanbell@xxxxxxxxxx
<mailto:alanbell@xxxxxxxxxx>> wrote:
Hi all,
there is a somewhat sparsely documented feature of webapps
that allow you to specify --webappModelSearchPath=. as a
parameter of webapp-container in the .desktop file and have a
file called webapp-properties.json in the project. This can
specify a script to be loaded into the webapp, which you can
also put in the package or possibly on a remote server, an
example of this can be found here
http://bazaar.launchpad.net/~sil/+junk/seshat/files
<http://bazaar.launchpad.net/%7Esil/+junk/seshat/files>
Now this got me thinking about all the awesome stuff I could
do with this, I could write a webapp that wraps my online
banking and paypal and then it scrapes the statements and
offers to reconcile stuff against my Odoo server or something.
Awesome. Someone else could do this too, and write a webapp
that wraps a bank and does evil stuff, this would then
instantly pass all the automated tests and be published in the
store ready for people to start using. This is a bit of a
worry. I did install the HSBC app when I got the phone, but I
didn't run it until today when I figured out how to read the
source (it is in /opt/click.ubuntu.com/hsbc.krysztau
<http://click.ubuntu.com/hsbc.krysztau>) however I fear that I
am a bit of an outlier and most people will run a banking
application without first reading the packaging source and
checking for evil stuff.
Perhaps it would be an idea to have a manual review process
for webapps that insert stuff where the developer can't prove
that they control the website in question.
Yep, definitely a good idea. Thanks Alan! We have a set of
checks for this script injection kit, from its desktop beginnings.
However, that should mosty flag common attack vectors. Checking
the identity of the author / published of an app still is a key
factor in deciding whether to trust it with your online credentials.
David
--
Mailing list: https://launchpad.net/~ubuntu-phone
<https://launchpad.net/%7Eubuntu-phone>
Post to : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
<mailto:ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~ubuntu-phone
<https://launchpad.net/%7Eubuntu-phone>
More help : https://help.launchpad.net/ListHelp
