I have a hard time trying to understand how Certified API security enforcement works. I read that Certified apps are the only ones that can use a core API and can only be installed by OEM. However, this is not a technical answer that satisfies me.
If I understand correctly, after starting a Web app on Firefox OS the first thing that is done by a some kind of Web app loader is checking what API is going to be used by this app. Now: * if app is not going to use a privileged API it is allowed to run * if app is going to use some privileged API it is checked if it's digitally signed by a marketplace. I think that this check is done either offline and an app signature is compared against a private key saved in device read only memory or done when installing and only once * if app is going to use a certified API ...? What is done at this point? In previous point it was checked whether an app was signed by how is it possible to differentiate between OEM or Marketplace? Does it work only because the device stores OEMs signatures? Or maybe signing has nothing to do with certified API and there's a predefined list of apps that are allowed to use a certified API and it's used when the system is built? That means that one could create a custom Firefox OS version and add his apps of choice that will be able to use certified API. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
