On 09/18/2013 12:09 AM, Paul Theriault wrote:
But let me try to rephrase the dilemma here. Currently for 1.2, we have a
preference ('devtools.debugger.forbid-certified-app') which prevents remote
debugging _only_ for certified apps. And I assume that so long as developers
had the ability to flip this preference, there this is no issue here. In 1.2,
you need root access to change this preference and debug certified apps - root
access is non-trivial for regular developers to obtain, so this isn't a great
situation. In 1.3 we plan to have UI and mechanism to toggle this preference
this securely (through wiping sensitive user data, or some other solution that
doesn't impact developer workflow).
So I think the question is really just what to do for the 3 months in between
the release of 1.2 and 1.3. The argument that I think I am hearing in this
thread, is that we should switch this preference earlier (i.e. 1.2) because the
benefit to the ecosystem in terms of ease of development, is greater than the
risk to our regular users by enabling debugging of certified apps. I don't
agree with this argument for all the reasons stated above - both from a
protection of users and potential impact to our reputation. But ultimately this
needs to be a decision for project leadership, and we need to be loud and clear
to users about the implications of the decision.
Here are the parts I think we agree on:
Given that access to sensitive data (messages, pictures, and, via email,
password resetting) is possible either way on a phone with no passcode
set, making the pref false adds only mechanized access to the picture.
Then, features like USB photo sync provide such mechanized access for
some sensitive data already. (We don't insist on wiping photos before
enabling sync, right?) This further reduces the *additional* (that is,
available only by flipping the pref) exposure from allowing debugging.
Is this characterization fair and complete?
Then, I'm not yet persuaded that a user whose phone has been stolen, and
who is already worried about in-app access, will further be upset that
the debugging protocol offers an additional channel to the thief. I'm
not a typical user, but even keeping my limited perspective in mind,
that's hard for me to imagine.
I don't even think we should *require* users to wipe sensitive data to
enable debugging. We should *offer* to do so, but forcing it seems like
building in the assumption that users who are choosing to develop can't
consider the consequences of that choice. Is that the way we want to
treat people?
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
