Currently in order to debug certified apps (i.e. gaia apps) you need a phone which is rooted, in order to set the "devtools.debugger.forbid-certified-apps" preference to false. Having this preference set to true is required on production phones as it allows basically root-level access through the remote debugger. But it leaves the strange situation where you can install certified apps, but you can’t debug them, which isn’t particularly useful, and also means a large attack surface for an attacker with physical access.
The challenge we had when talking through this situation previously was that its difficult to distinguish between the device's owner & someone who has just found your phone, and wants to take advantage of developer mode to compromise your phone and/or data. My team has been working on a proposal to remedy this situation: - Introduce an “os-developer” mode - Provide a way in FTU to have the user choose a lockscreen pass code (not necessarily enabled, just chosen) - Add UI into developer settings to enable os-developer mode, which requires the user to enter their passcode - When enabled, this mode allows installing and debugging certified apps. When disabled, certified app installation & debugging is forbidden. - The user MUST set a lockscreen code during FTU for os-developer to be available. If they do not, os-developer mode is disabled, and can only be re-enabled through the process of a factory-reset then redoing FTU. - Note that the user do not have to ENABLE the lockscreen during FTU, they just have to at least choose a passcode. But encouraging users to set a passcode comes with its own benefits. Pros: - Allows a way to enable developing of certified apps & Gaia hacking on production, unrooted phones while protecting the user's data Cons: - A user must set passcode at FTU (and remember it!), else they wont be able to use this mode without a factory reset - In the past there has been pushback on having passcode selection in FTU There are a lot of other details and considerations, but I’ll keep it short(er) for now to start discussion. Does anything think this is a useful change or is there a better way to enable certified app debugging, whilst protecting user data? If you are interested, there is a more detailed proposal here: [1] Thoughts & suggestions welcome. - Paul [1] https://docs.google.com/a/mozilla.com/document/d/11Q1_fj2nKciVyG2PdGH_LuiH09BhZJKzFjBuIcaHKqs/edit#
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
