Security/B2G/2013 2 13

FirefoxOS Security Team Meeting

1pm PST, B2G Vidyo room Prior notes are here: https://wiki.mozilla.org/Security/B2G/2013_2_6

News

• Work being done investigating geolocation data
• UI - get UI

Upcoming features:

• Simple Push

Current/upcoming Reviews

High Priority:

• Browser API - Pauljt, WIP
• Tethering - anyone have time to look at this? dchan
• Gaia: Document a combined review/close these out somehow?
• Web Activities (including system activities) - document and close out. pauljt

Goal Status Updates

1. FirefoxOS related security reviews (owner: pauljt)

• Gecko: 18 bugs remaining:

https://bugzilla.mozilla.org/showdependencytree.cgi?id=754730&maxdepth=1&hide_resolved=1

• Gaia: 14 bug remaining:

https://bugzilla.mozilla.org/showdependencytree.cgi?id=748190&maxdepth=1&hide_resolved=1

2. Document Firefox OS Security (owner: dchan)

Draft Plan: https://security.etherpad.mozilla.org/MDN-Firefox-OS

• mgoodwin has been testing the build documentation instructions
  • Put marionette at top of doc testing list
• dchan still has to send out the doc list, will do after this meeting

3. Develop and land tests for security features (owner: dchan)

No updates

4.Engage communities & third-parties for Firefox OS security review and testing (owner: pauljt)

Draft Plan: https://etherpad.mozilla.org/foxhunt

5. Drive OS-layer security improvement (owner: kang)

No updates. Opsec marketplace taking prio til completed.

6. Secure app developer/reviewer guidelines/tools (owner: rforbes)

Other Items

• Automate XSS fuzzing - mgoodwin to investigate

freddy jumping in to static analysis stuff to rewrite potentially insecure calls (e.g. innerHTML)