ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #12097
Re: webapps and script injection
On 13/04/15 16:40, David Barth wrote:
Yep, definitely a good idea. Thanks Alan! We have a set of checks
for this script injection kit, from its desktop beginnings.
However, that should mosty flag common attack vectors. Checking the
identity of the author / published of an app still is a key factor in
deciding whether to trust it with your online credentials.
David
yeah, checking the identity is a key factor, and I did spot that this
particular app was published by "Chris" and not by HSBC, however I bet
most people just don't get the distinction and look at the logo and app
name then treat "HSBC" as the identity to trust.
I don't know what the answer is really, perhaps there could be some kind
of verified logo, like twitter verified accounts for things that are
published by people who can jump through some extra hoop (like proving
they own the domain, or are a prolific developer of good apps, or for
apps that have gone through a manual review). I would just like there to
be something in place before a bad app gets put in the store and a bunch
of paypal accounts get cleaned out before anyone figures out what is
going on.
Alan.
References