Hi, On 09/09/2014 15:00, Kartikaya Gupta wrote: > On 8/9/2014, 5:20, Paul Theriault wrote: >> The challenge we had when talking through this situation previously >> was that its difficult to distinguish between the device's owner & >> someone who has just found your phone, and wants to take advantage of >> developer mode to compromise your phone and/or data. > > Thanks for pointing this out, as it is an important distinction that is > the heart of the problem. > >> Cons: >> - A user must set passcode at FTU (and remember it!), else they wont >> be able to use this mode without a factory reset > > When they do a factory reset, is there a mechanism available for them to > backup and restore their data? (I admit I'm unfamiliar with what the > average user would use for this - a quick search online seems to > indicate you have to use adb to do this). If there is a mechanism, what > prevents the "malicious person who just found your phone" from doing > this data backup and stealing your data? Is this somehow a less-bad > scenario than the malicious person being able to enable os-developer mode?
Definitely not, since what we want to achieve ultimately is protecting the user's data. But I don't know the details of the possible solutions for the backup and restore mechanism, so I'll let better informed people answer this. > > I just worry that forcing a factory reset in this scenario is going to > place a big barrier to allowing our users to organically grow from > "users" to "webmaker". That is, they will find it much harder to learn > and hack their phones in ways that we should be should be actively > encouraging. > This 'os-developer' mode is meant for people who want to write and debug certified apps. This factory reset scenario won't impact web app developers (privileged, web). Are would-be Gaia developers the target you're concerned about? > Seeing as the heart of the problem is distinguishing the device owner > and Mr. Malicious, perhaps we could ask for some piece of information > the device owner is much more likely to have. The SIM PIN might be such > a thing, or maybe some other unique identifier that comes with the phone > but isn't physically present or accessible on the handset itself. Since the SIM can be removed and replaced by the attacker's SIM, it doesn't look like a right candidate. That's why we consider the device PIN code instead. The issue we're hitting is always the same: how to make sure it's the actual owner of the device who is initializing _first_ the authentication service (setting a PIN code, synchronizing to a backup service, etc) while protecting the data. Hence the reset factory solution... Stéphanie _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
