Stéphanie Ouillon, irc: arroway stephouillon@mozilla.com

ISTIC, 9 mars 2016

2 years, 3 months, 2 weeks

Firefox OS phones

Breaking the duopoly

http://bgr.com

Free and Open Source software

The web is the platform.

Firefox OS phones

Packaged or hosted

manifest.webapp (version soft)

        {
          "name": "My App",
          "description": "My elevator pitch goes here",
          "launch_path": "/",
          "icons": { "128": "/img/icon-128.png" },
          "developer": {
            "name": "Your name or organization",
            "url": "http://your-homepage-here.org"
          }
        }

App manifest

Présentation par Julien Wajsberg et Jérémie Patonnier

Gecko: rendering engine

commons.wikimedia.org
Basic data flow
MDN
MDN
mozillamemes.tumblr.com
MDN

What kind of security?

Security by design

Security by obscurity

Open for users

...and developers

Debugger and root access

User-centric

With who?

Dev, UX, QA

Product, OEMs, carriers

How?

Feature design & implementation

Threat modeling

http://www.carmelowalsh.com

Doing a code review when...

https://securityreactions.tumblr.com

UX/UI design

http://halls-of-valhalla.org
wiliam.com.au
inkslcc.wordpress.com

But security UX is hard.

https://blog.mozilla.org/security
https://bugzilla.mozilla.org/show_bug.cgi?id=797661#c17

User control vs automatic choices

Raising awareness about security & privacy

Playing catch-up

Defense in depth

Process isolation, sandboxing, CSP...

Message encryption, VPN support, full disk encryption

Catching up vs. innovating

It's all about compromise.

Updates & bug bounty program

OEMs & carriers modify the code.

Optimizations

Proprietary APIs

No update are pushed to the phones.

No security bug bounty program

Permission model v1

dom/apps/PermissionsTable.jsm

Not "webby"

Too many restricted APIs

New security model for apps

Exposing APIs to the web

W3C standardization

Agreeing on use cases

UX/UI parts are hard to standardized.

Hosted apps

Offline

Decentralized trust

Use standards

Streamable packages, Sub Resource Integrity, Service Workers

Open hardware?

Ethical cost?

And now?

Transition plan

Internet of Things

Contact