ubuntu-phone team mailing list archive

Thread
Date

Re: webapps and script injection

To: David Barth <david.barth@xxxxxxxxxxxxx>
From: Alan Bell <alanbell@xxxxxxxxxx>
Date: Tue, 14 Apr 2015 10:22:14 +0100
Cc: Ubuntu Phone <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CALTgdmEJ2_DpvOg3eZn1mO0HhbviV6CxyWd1Eq9kNuDdYXvLMg@mail.gmail.com>
Sender: Alan Bell <alanbelltolc@xxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

On 13/04/15 16:40, David Barth wrote:

Yep, definitely a good idea. Thanks Alan! We have a set of checksfor this script injection kit, from its desktop beginnings.
However, that should mosty flag common attack vectors. Checking theidentity of the author / published of an app still is a key factor indeciding whether to trust it with your online credentials.
David

yeah, checking the identity is a key factor, and I did spot that thisparticular app was published by "Chris" and not by HSBC, however I betmost people just don't get the distinction and look at the logo and appname then treat "HSBC" as the identity to trust.

I don't know what the answer is really, perhaps there could be some kindof verified logo, like twitter verified accounts for things that arepublished by people who can jump through some extra hoop (like provingthey own the domain, or are a prolific developer of good apps, or forapps that have gone through a manual review). I would just like there tobe something in place before a bad app gets put in the store and a bunchof paypal accounts get cleaned out before anyone figures out what isgoing on.


Alan.

References

webapps and script injection
From: Alan Bell, 2015-04-10
Re: webapps and script injection
From: David Barth, 2015-04-13