The problem with this approach is it relies on developers knowing which permissions are should be system app only, and which ones can be used by other certified apps. We have already run into this with partner developers, and fair enough since this restriction isn't documented anywhere.
Regardless of if we enforce this or not, then at least we need to documents which permissions should be only used by the system app so that this will be more well know. (I'll raise a bug assigned to me I guess to make this list) On Feb 6, 2014, at 12:48 PM, Jonas Sicking wrote: > On Jan 30, 2014 9:21 AM, "Stéphanie Ouillon" <[email protected]> > wrote: >> >> Hi, >> >> >> The "nfc-manager" permission allows a certified app to receive any >> broadcasted message (such as "nfc-manager-send-file) coming from Gecko. >> These messages are meant to be routed by the System app to all other NFC >> enabled applications. Thus only the System app should be able to have >> this permission (the browser shouldn't have it, see bug 963488). >> >> There is a bunch of certified permissions that are only used in System: >> cellbroadcast, input-manage, embed-apps, background-censors (and another >> bunch used in both System and Settings only). But I'm not sure whether >> it could be used somewhere else someday or not. >> >> The question is the following one: it is worth considering having a set >> of permissions restricted to the System app only? > > Certified APIs are only exposed to certified apps that at build time > enumerate the appropriate permission in their manifest. > > So these APIs are effectively already only exposed to the system app. > > This has the security benefits you mention, while also keeping us flexible > for future changes. > > / Jonas > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
