ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #12088
Re: webapps and script injection
On Mon, Apr 13, 2015 at 2:50 PM, Marc Deslauriers <
marc.deslauriers@xxxxxxxxxxxxx> wrote:
> On 2015-04-10 06:15 PM, Alan Bell wrote:
> > Hi all,
> >
> > there is a somewhat sparsely documented feature of webapps that allow
> you to
> > specify --webappModelSearchPath=. as a parameter of webapp-container in
> the
> > .desktop file and have a file called webapp-properties.json in the
> project. This
> > can specify a script to be loaded into the webapp, which you can also
> put in the
> > package or possibly on a remote server, an example of this can be found
> here
> > http://bazaar.launchpad.net/~sil/+junk/seshat/files
> >
> > Now this got me thinking about all the awesome stuff I could do with
> this, I
> > could write a webapp that wraps my online banking and paypal and then it
> scrapes
> > the statements and offers to reconcile stuff against my Odoo server or
> > something. Awesome. Someone else could do this too, and write a webapp
> that
> > wraps a bank and does evil stuff, this would then instantly pass all the
> > automated tests and be published in the store ready for people to start
> using.
> > This is a bit of a worry. I did install the HSBC app when I got the
> phone, but I
> > didn't run it until today when I figured out how to read the source (it
> is in
> > /opt/click.ubuntu.com/hsbc.krysztau) however I fear that I am a bit of
> an
> > outlier and most people will run a banking application without first
> reading the
> > packaging source and checking for evil stuff.
> >
> > Perhaps it would be an idea to have a manual review process for webapps
> that
> > insert stuff where the developer can't prove that they control the
> website in
> > question.
>
> There's absolutely nothing preventing a developer from doing whatever they
> want
> in their app, including malicious stuff. Even if we were to limit what the
> webapp binary allows, a developer can simply bundle their own, or simply
> write
> an app that pretends to be the actual website.
>
> When you download something from the store, you are trusting the developer
> of
> that app, it's as simple as that.
>
Exactly, ...
in this context, the listed "extra measures" are not stoppers, but do help
in mitigate the issue,
References