On Monday, September 8, 2014 11:20:02 AM UTC+2, Paul Theriault wrote: > Currently in order to debug certified apps (i.e. gaia apps) you need a phone > which is rooted, in order to set the > "devtools.debugger.forbid-certified-apps" preference to false. Having this > preference set to true is required on production phones as it allows > basically root-level access through the remote debugger. But it leaves the > strange situation where you can install certified apps, but you can't debug > them, which isn't particularly useful, and also means a large attack surface > for an attacker with physical access. > > > > The challenge we had when talking through this situation previously was that > its difficult to distinguish between the device's owner & someone who has > just found your phone, and wants to take advantage of developer mode to > compromise your phone and/or data. > > > > My team has been working on a proposal to remedy this situation: > > - Introduce an "os-developer" mode > > - Provide a way in FTU to have the user choose a lockscreen pass code (not > necessarily enabled, just chosen) > > - Add UI into developer settings to enable os-developer mode, which requires > the user to enter their passcode > > - When enabled, this mode allows installing and debugging certified apps. > When disabled, certified app installation & debugging is forbidden. > > - The user MUST set a lockscreen code during FTU for os-developer to be > available. If they do not, os-developer mode is disabled, and can only be > re-enabled through the process of a factory-reset then redoing FTU. > > - Note that the user do not have to ENABLE the lockscreen during FTU, they > just have to at least choose a passcode. But encouraging users to set a > passcode comes with its own benefits. > > > > Pros: > > - Allows a way to enable developing of certified apps & Gaia hacking on > production, unrooted phones while protecting the user's data > > > > Cons: > > - A user must set passcode at FTU (and remember it!), else they wont be able > to use this mode without a factory reset > > - In the past there has been pushback on having passcode selection in FTU > > > > There are a lot of other details and considerations, but I'll keep it > short(er) for now to start discussion. Does anything think this is a useful > change or is there a better way to enable certified app debugging, whilst > protecting user data? If you are interested, there is a more detailed > proposal here: [1] > > > > Thoughts & suggestions welcome. > > > > - Paul > > > > [1] > https://docs.google.com/a/mozilla.com/document/d/11Q1_fj2nKciVyG2PdGH_LuiH09BhZJKzFjBuIcaHKqs/edit#
Wow, interesting catch. I alwasy assumed that it was not possible to install certified apps on a non-rooted phone. So yeah, any way we can make this possible on non-rooted phones will get applause. Pin code sounds like a proper way of enabling this on consumer phones. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
