ubuntu-phone team mailing list archive

Thread
Date

Re: webapps and script injection

To: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
From: Alexandre Abreu <alexandre.abreu@xxxxxxxxxxxxx>
Date: Mon, 13 Apr 2015 16:55:37 -0400
Cc: Ubuntu Phone List <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <552C0FE6.5000000@canonical.com>

On Mon, Apr 13, 2015 at 2:50 PM, Marc Deslauriers <
marc.deslauriers@xxxxxxxxxxxxx> wrote:

> On 2015-04-10 06:15 PM, Alan Bell wrote:
> > Hi all,
> >
> > there is a somewhat sparsely documented feature of webapps that allow
> you to
> > specify --webappModelSearchPath=. as a parameter of webapp-container in
> the
> > .desktop file and have a file called webapp-properties.json in the
> project. This
> > can specify a script to be loaded into the webapp, which you can also
> put in the
> > package or possibly on a remote server, an example of this can be found
> here
> > http://bazaar.launchpad.net/~sil/+junk/seshat/files
> >
> > Now this got me thinking about all the awesome stuff I could do with
> this, I
> > could write a webapp that wraps my online banking and paypal and then it
> scrapes
> > the statements and offers to reconcile stuff against my Odoo server or
> > something. Awesome. Someone else could do this too, and write a webapp
> that
> > wraps a bank and does evil stuff, this would then instantly pass all the
> > automated tests and be published in the store ready for people to start
> using.
> > This is a bit of a worry. I did install the HSBC app when I got the
> phone, but I
> > didn't run it until today when I figured out how to read the source (it
> is in
> > /opt/click.ubuntu.com/hsbc.krysztau) however I fear that I am a bit of
> an
> > outlier and most people will run a banking application without first
> reading the
> > packaging source and checking for evil stuff.
> >
> > Perhaps it would be an idea to have a manual review process for webapps
> that
> > insert stuff where the developer can't prove that they control the
> website in
> > question.
>
> There's absolutely nothing preventing a developer from doing whatever they
> want
> in their app, including malicious stuff. Even if we were to limit what the
> webapp binary allows, a developer can simply bundle their own, or simply
> write
> an app that pretends to be the actual website.
>
> When you download something from the store, you are trusting the developer
> of
> that app, it's as simple as that.
>

Exactly, ...

in this context, the listed "extra measures" are not stoppers, but do help
in mitigate the issue,

References

webapps and script injection
From: Alan Bell, 2015-04-10
Re: webapps and script injection
From: Marc Deslauriers, 2015-04-13