← Back to team overview

ubuntu-phone team mailing list archive

Re: webapps and script injection

 

On 13/04/15 16:40, David Barth wrote:

Yep, definitely a good idea. Thanks Alan! We have a set of checks for this script injection kit, from its desktop beginnings.

However, that should mosty flag common attack vectors. Checking the identity of the author / published of an app still is a key factor in deciding whether to trust it with your online credentials.

David
yeah, checking the identity is a key factor, and I did spot that this particular app was published by "Chris" and not by HSBC, however I bet most people just don't get the distinction and look at the logo and app name then treat "HSBC" as the identity to trust.

I don't know what the answer is really, perhaps there could be some kind of verified logo, like twitter verified accounts for things that are published by people who can jump through some extra hoop (like proving they own the domain, or are a prolific developer of good apps, or for apps that have gone through a manual review). I would just like there to be something in place before a bad app gets put in the store and a bunch of paypal accounts get cleaned out before anyone figures out what is going on.

Alan.


References