Security/Reviews/Campaign management

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Campaign management / product announcements for Firefox for Android
Target
   
     Full Query    
ID Summary Priority Status
774497 [meta] Android product announcements P1 RESOLVED
789296 [Security Review] Campaign management / product announcements for Firefox for Android P1 RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

https://wiki.mozilla.org/User:Mconnor/Current/Snippets_Service
The given value "
   
     Full Query    
ID Summary Priority Status
774497 [meta] Android product announcements P1 RESOLVED
789296 [Security Review] Campaign management / product announcements for Firefox for Android P1 RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

https://wiki.mozilla.org/User:Mconnor/Current/Snippets_Service" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • engage with users who are not using Firefox on android
    • the app is installed but not being used
    • gives them some content to try and encourage them to use Firefox
  • messages taylored in various ways to appeal to the user
    • days idel, handset, etc
      • Where do we get te info on how many days idle, etc?
        • Computed by the client - we'd like to use the info from the client - we can choose what to show based on as-yet decided rules.
  • Intended to use Android notifications - using the b+w firefox icon, a title, short description and URL. Tapping opens Firefox to that URL.
  • 3 questions
    • How do we get things onto the device?
      • Product read about Google Cloud Messaging and wanted to use it... The actual use case is "we want to show stuff on the device" - doesn't need Google Cloud Messaging to do this. All we really want is pull snippets.
        • Pulled by client - hits a statically defined (overriden by pref) URL with some data. - Only omission identified so far is the android API version.
        • This sends some info on the device (see mconnor's spec above)
        • Fetching process is triggered by a backround alarm process: based on 3 criteria. Is Firefox running? Is the SD Card reconnected? Is the system booting? There's a checkbox which overrides this.
    • How is the pref obtained from Firefox by the service?
      • Backround gecko process is run, it uses broadcast intents to send a pref-changed message
    • How many people see and act on it?
      • We can see how many see it based on the requests we get for the snippets. When they tap, we redirect and we get another request to measure.
      • From these 2 sources we can see the numbers of people who see and who act on campaigns
  • Connection questions
    • Is the connection to the snippet service over SSL? Yes, it should be.
    • Are the domains mentioned above the final values? No, arbitrary.

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

  • talking to correct snippet server?
    • How do we make sure it's the correct URL
      • There are 2 ways this can be written - we add a feature to fennec to write it
      • You jump through hoops to use an addon to do this for you (via Java / JNI, etc).
  • What about MITM between device and snippet server?
    • Can we make sure that the snippet URLs are allowed schemes (in this case, HTTP / HTTPS)
    • Might it help to whitelist domains? Probably not...
    • The redirect URL may be known - is there anything people can do by pinging this themselves?
      • The URL contains a nonce which should reduce the likelihood of this (time, plus random element)
    • Snippets in the sample spec show 4 attributes - you'll be looking for items by name - unknown items won't be looked at.
    • Character sets? UTF-8
  • rogue snippets?
  • How about android malware that generates the same messages to the snippets client? Malicious android apps can do far worse things.

Threat Brainstorming

'

  • Property "SecReview feature goal" (as page type) with input value "* engage with users who are not using Firefox on android
      • the app is installed but not being used
      • gives them some content to try and encourage them to use Firefox
    • messages taylored in various ways to appeal to the user
      • days idel, handset, etc
        • Where do we get te info on how many days idle, etc?
          • Computed by the client - we'd like to use the info from the client - we can choose what to show based on as-yet decided rules.
    • Intended to use Android notifications - using the b+w firefox icon, a title, short description and URL. Tapping opens Firefox to that URL.
    • 3 questions
      • How do we get things onto the device?
        • Product read about Google Cloud Messaging and wanted to use it... The actual use case is "we want to show stuff on the device" - doesn't need Google Cloud Messaging to do this. All we really want is pull snippets.
          • Pulled by client - hits a statically defined (overriden by pref) URL with some data. - Only omission identified so far is the android API version.
          • This sends some info on the device (see mconnor's spec above)
          • Fetching process is triggered by a backround alarm process: based on 3 criteria. Is Firefox running? Is the SD Card reconnected? Is the system booting? There's a checkbox which overrides this.
      • How is the pref obtained from Firefox by the service?
        • Backround gecko process is run, it uses broadcast intents to send a pref-changed message
      • How many people see and act on it?
        • We can see how many see it based on the requests we get for the snippets. When they tap, we redirect and we get another request to measure.
        • From these 2 sources we can see the numbers of people who see and who act on campaigns
    • Connection questions
      • Is the connection to the snippet service over SSL? Yes, it should be.
      • Are the domains mentioned above the final values? No, arbitrary." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threats considered" (as page type) with input value "* talking to correct snippet server?
      • How do we make sure it's the correct URL
        • There are 2 ways this can be written - we add a feature to fennec to write it
        • You jump through hoops to use an addon to do this for you (via Java / JNI, etc).
    • What about MITM between device and snippet server?
      • Can we make sure that the snippet URLs are allowed schemes (in this case, HTTP / HTTPS)
      • Might it help to whitelist domains? Probably not...
      • The redirect URL may be known - is there anything people can do by pinging this themselves?
        • The URL contains a nonce which should reduce the likelihood of this (time, plus random element)
      • Snippets in the sample spec show 4 attributes - you'll be looking for items by name - unknown items won't be looked at.
      • Character sets? UTF-8
    • rogue snippets?
    • How about android malware that generates the same messages to the snippets client? Malicious android apps can do far worse things." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Snippet poll must be over SSL - let's make sure.