Security/Reviews/B2GAppUpdates

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

B2G AppUpdates
Target 
   
     Full Query
ID Summary Priority Status
804049 [Security Review] App Updates for B2G P2 RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query
ID Summary Priority Status
804049 [Security Review] App Updates for B2G P2 RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Process-

Hosted App

  • (manifest hosted on the applications server)
  • manifest just gets downloaded and update gets applied (ie update the webapps registry)

HostedApp with appcache

  • (manifest hosted on the applications server)

Packaged App

  • (manifest hosted on the marketplace server)

https://wiki.mozilla.org/Reviews/B2G/AppUpdates gaia.system.checkForUpdates Open Question: Is there no time-based check for app updates? If not why not?

  • Where are the manifest hosted - anywhere for hosted, packaged at marketplace
  • Can you apply signed app udpates to another app (or what stops this)
  1. . A file (sigFilename) containing the RSA certificate data
  2. . The signature digest (sfFileName), verified by #1
  3. . A manifest file containing all the files that must be "signed" and their digests (mfFilename)

[1] - Loading the RSA certificate data http://mxr.mozilla.org/mozilla-cent ral/source/security/manager/ssl/src/JARSignatureVerification.cpp#558 [2] - Verify signature of SF file http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#588 [3] - Verify digest of manifest file http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#616 [4] - Verify that digest of each file specified by manifest file is correct http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#628 http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#443

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

  • App isn't updated in a timely manner
    • what could cause the initial update check to fail?
      • What about if the update manifest is accidentally included in an appcache?
        • imho it can't
      • Other possible DoS scenarios? Version number corruption?
        • we don't care about the actual version, this is only used to change the webapp manifest
    • Check to make sure people dont appcache their update manifest (appstore-side)
    • Relying on the app to update itself, need to check update cadence in review process
  • Unsigned update gets applied?
    • app updates are signed for packaged apps. Hosted apps are not installed, and are at risk, but same model as the web. (i.e. use SSL to protect content integrity)
    • if I am not wrong, app updates are not necessarily signed, but they can be
  • Wrong app gets updated?
    • Currently a compromised process could spoof the input parameter to checkForUpdate, so an app could trigger an update for another app. But the update code retrieves the app to update based on the manifest, and so while a compromised process could trigger updates for other apps, it can't provide any malicious parameters to that update. See bug 820206 for more info on attacks related to spoofing webapps:* system messages. But I dont think there is an issue here.
  • Partial update makes app unusable
    • Can an app be half updated? (appcache yes? packaged no?)
    • Power loss while copying app files across ?
    • Check when delete old app happens?
  • App update is incompatible with the underlying gecko version?
    • how do we address this? (not really a security issue though)
    • probably ignore this, it same problem as person no applying system updates
  • Signed update gets applied to the wrong app?
    • Can this happen? Are signatures per domain/manifest/what? IE could one signed appupdate be somehow applied over another app somehow?
  • An old update get applied (perhaps introducing a security vulnerability)
  • download the update, but dont apply it?

Threat Brainstorming

'

  • Property "SecReview feature goal" (as page type) with input value "Process-

    Hosted App

    • (manifest hosted on the applications server)
    • manifest just gets downloaded and update gets applied (ie update the webapps registry)

    HostedApp with appcache

    • (manifest hosted on the applications server)

    Packaged App

    • (manifest hosted on the marketplace server)

    https://wiki.mozilla.org/Reviews/B2G/AppUpdates gaia.system.checkForUpdates Open Question: Is there no time-based check for app updates? If not why not?

    • Where are the manifest hosted - anywhere for hosted, packaged at marketplace
    • Can you apply signed app udpates to another app (or what stops this)
    1. . A file (sigFilename) containing the RSA certificate data
    2. . The signature digest (sfFileName), verified by #1
    3. . A manifest file containing all the files that must be "signed" and their digests (mfFilename)

    [1] - Loading the RSA certificate data http://mxr.mozilla.org/mozilla-cent ral/source/security/manager/ssl/src/JARSignatureVerification.cpp#558 [2] - Verify signature of SF file http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#588 [3] - Verify digest of manifest file http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#616 [4] - Verify that digest of each file specified by manifest file is correct http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#628

    http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/JARSignatureVerification.cpp#443" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threats considered" (as page type) with input value "*App isn't updated in a timely manner
      • what could cause the initial update check to fail?
        • What about if the update manifest is accidentally included in an appcache?
          • imho it can't
        • Other possible DoS scenarios? Version number corruption?
          • we don't care about the actual version, this is only used to change the webapp manifest
      • Check to make sure people dont appcache their update manifest (appstore-side)
      • Relying on the app to update itself, need to check update cadence in review process
    • Unsigned update gets applied?
      • app updates are signed for packaged apps. Hosted apps are not installed, and are at risk, but same model as the web. (i.e. use SSL to protect content integrity)
      • if I am not wrong, app updates are not necessarily signed, but they can be
    • Wrong app gets updated?
      • Currently a compromised process could spoof the input parameter to checkForUpdate, so an app could trigger an update for another app. But the update code retrieves the app to update based on the manifest, and so while a compromised process could trigger updates for other apps, it can't provide any malicious parameters to that update. See bug 820206 for more info on attacks related to spoofing webapps:* system messages. But I dont think there is an issue here.
    • Partial update makes app unusable
      • Can an app be half updated? (appcache yes? packaged no?)
      • Power loss while copying app files across ?
      • Check when delete old app happens?
    • App update is incompatible with the underlying gecko version?
      • how do we address this? (not really a security issue though)
      • probably ignore this, it same problem as person no applying system updates
    • Signed update gets applied to the wrong app?
      • Can this happen? Are signatures per domain/manifest/what? IE could one signed appupdate be somehow applied over another app somehow?
    • An old update get applied (perhaps introducing a security vulnerability)
    • download the update, but dont apply it?" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
    • Confirm the update UI for pure hosted apps (ie no appcacheache)

--> [jsmith] Just tested, no UI shown, update is automatically applied

    • Storage permission could be granted by MITM to a hosted app not using SSL. This grants unlimited storage, so the MITM could then try to fill up the disk.
    • Add UI the source of the app (install and app info section, under permission)
--> install prompt bug might be https://bugzilla.mozilla.org/show_bug.cgi?id=827562
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/B2GAppUpdates&oldid=505624"