Security/Reviews/Packaged Apps

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Packaged Apps: Signing & Revocation
Target
   
     Full Query    
ID Summary Priority Status
772365 Implement signing mechanism for packaged apps P1 VERIFIED
816282 SecReview: Implement signing mechanism for packaged apps P1 RESOLVED

2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);

Spec document: https://wiki.mozilla.org/Apps/PrivilegedApplication/SigningService
The given value "
   
     Full Query    
ID Summary Priority Status
772365 Implement signing mechanism for packaged apps P1 VERIFIED
816282 SecReview: Implement signing mechanism for packaged apps P1 RESOLVED

2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);

Spec document: https://wiki.mozilla.org/Apps/PrivilegedApplication/SigningService" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • reuse xpi signing for apps in B2G
    • same bits we are using for signing receipts

Signing parts:

  • Server Side
    • How do we control signing (access to signing machine)?
    • How do we deal with multiple signing (signing many apps) Is it manual?
      • Marketplace
      • Client

Reviewers get/generate a test cert

  • tool to install cert into the phone
  • tool to sign using that cert
  • after review the reviewer-signed app is sent to marketplace
  • marketplace verifies reviewer's signature and logs who signed which app
  • marketplace re-signs the app and puts it in the store.

Install:

  • download zip
  • check signature
  • if no sig max privilege is "installed"
  • if there's a valid signature max priv is "trusted"
  • if the signature is invalid the app is not installed
  • process manifest requested permissions limited by max priv
  • signature never used again until we update that app

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

`

Threat Brainstorming

  • Receipts signing certs were rotated to avoid people signing receipts for ever. What happens if someone gets access to the certs? Do we have a plan for revocation?
    • re-sign all the apps
    • push a firmware update to revoke the cert
  • Property "SecReview feature goal" (as page type) with input value "* reuse xpi signing for apps in B2G
      • same bits we are using for signing receipts

    Signing parts:

    • Server Side
      • How do we control signing (access to signing machine)?
      • How do we deal with multiple signing (signing many apps) Is it manual?
        • Marketplace
        • Client

    Reviewers get/generate a test cert

    • tool to install cert into the phone
    • tool to sign using that cert
    • after review the reviewer-signed app is sent to marketplace
    • marketplace verifies reviewer's signature and logs who signed which app
    • marketplace re-signs the app and puts it in the store.

    Install:

    • download zip
    • check signature
    • if no sig max privilege is "installed"
    • if there's a valid signature max priv is "trusted"
    • if the signature is invalid the app is not installed
    • process manifest requested permissions limited by max priv
    • signature never used again until we update that app" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* Receipts signing certs were rotated to avoid people signing receipts for ever. What happens if someone gets access to the certs? Do we have a plan for revocation?
      • re-sign all the apps
      • push a firmware update to revoke the cert" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Our app "revocation" seems to depend on the app coming from the marketplace (not simply being signed by the marketplace). Nothing at the moment seems to stop a web-site from installing a copy of a marketplace-signed privileged app. (is that a problem?)
  • Marketplace team: Add a link to the mini-manifest inside the packaged. (Merge into bug 814131?)
  • Platform team (bsmith): require that mini-manifest link inside the signed JAR and make sure that the mini-manifest inside the JAR overrides the original (download) mini-manifest URI. (Merge into bug 814136?)