Security/B2G/2013 10 29

From MozillaWiki
< Security‎ | B2G
Jump to: navigation, search

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_10_22

News

  "The problem is not a vulnerability in iOS itself but a coding weakness on the part
   of the developer." per the article. Using TLS prevents the attack.
   insecure HTTP web apps (or packaged apps loading http resources) could
   be vulnerable.
   -- is there no way to clear the cache or cookies on Firefox OS?!
   * I think we treat 301 more like 302, we make no effort to remember permanently
     beyond the lifetime of the cache entry

- sandbox enabled on 1.2 geeksphone

   - goal is for 1.3 for other phones
   - jld working on fixing bugs

- need to fix emulator

   - tests don't correctly catch errors on try
   - bug to update emulator kernel (required for seccomp)
       - https://bugzilla.mozilla.org/show_bug.cgi?id=908659
   

stephanie's updates

  • overview of fxos security docs on the wiki https://etherpad.mozilla.org/7QQnGXrez2
  • 1.2 branched yesterday
  • [cr] feature proposals:
    • "lock to app"
      • enabled via long power button push menu
      • require PIN to switch to different app
      • like a poor-man's guest mode
    • "phone grab lock" theft mitigation
      • phone locks if accelerometer detects shakes, locking out thieves in phone grab scenarios
      • common attack. had that happen to a friend in Berlin
  • [cr] first fxos malware claim emerged
    • (mostly) see last week's meeting, but now there is a mozilla security blog post proposal currently under review

visibility at Engineering meeting? https://wiki.mozilla.org/Platform/2013-10-29

- component owners for b2g

   - https://etherpad.mozilla.org/component-owners

haida roadmap https://wiki.mozilla.org/FirefoxOS/Haida https://etherpad.mozilla.org/haida-summit

Weekly goals

  • rfletcher looks at bluetooth in fxos and buffer overflow risks
  • stephanie wants to look at the system app and haida
  • freddy will have to work on his backlog of web security reviews

Goal Status Updates

  • [cr] marketplace tools - challenge getting developer time
    • kill switch (in progress)
    • blacklisting URLs
    • suggested regular marketplace/security strategy meeting, dbialer will suggest a time
  • [cr] integrate key material in contacts
    • ongoing design phase, internal rfc coming up