ubuntu-phone team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 2015-04-10 06:15 PM, Alan Bell wrote:
> Hi all,
> 
> there is a somewhat sparsely documented feature of webapps that allow you to
> specify --webappModelSearchPath=. as a parameter of webapp-container in the
> .desktop file and have a file called webapp-properties.json in the project. This
> can specify a script to be loaded into the webapp, which you can also put in the
> package or possibly on a remote server, an example of this can be found here
> http://bazaar.launchpad.net/~sil/+junk/seshat/files
> 
> Now this got me thinking about all the awesome stuff I could do with this, I
> could write a webapp that wraps my online banking and paypal and then it scrapes
> the statements and offers to reconcile stuff against my Odoo server or
> something. Awesome. Someone else could do this too, and write a webapp that
> wraps a bank and does evil stuff, this would then instantly pass all the
> automated tests and be published in the store ready for people to start using.
> This is a bit of a worry. I did install the HSBC app when I got the phone, but I
> didn't run it until today when I figured out how to read the source (it is in
> /opt/click.ubuntu.com/hsbc.krysztau) however I fear that I am a bit of an
> outlier and most people will run a banking application without first reading the
> packaging source and checking for evil stuff.
> 
> Perhaps it would be an idea to have a manual review process for webapps that
> insert stuff where the developer can't prove that they control the website in
> question.

There's absolutely nothing preventing a developer from doing whatever they want
in their app, including malicious stuff. Even if we were to limit what the
webapp binary allows, a developer can simply bundle their own, or simply write
an app that pretends to be the actual website.

When you download something from the store, you are trusting the developer of
that app, it's as simple as that.

Marc.