Technically, if the app type is certified then it can only be preinstalled. IIRC there's an exception to this rule by which you can actually install certified apps using the developer mode and loading them directly via ADB/USB, but you cannot install them from the net. So if the app is certified, the installation just fails.
Best, Antonio On 28/02/2015 3:25, [email protected] wrote:
I have a hard time trying to understand how Certified API security enforcement works. I read that Certified apps are the only ones that can use a core API and can only be installed by OEM. However, this is not a technical answer that satisfies me. If I understand correctly, after starting a Web app on Firefox OS the first thing that is done by a some kind of Web app loader is checking what API is going to be used by this app. Now: * if app is not going to use a privileged API it is allowed to run * if app is going to use some privileged API it is checked if it's digitally signed by a marketplace. I think that this check is done either offline and an app signature is compared against a private key saved in device read only memory or done when installing and only once * if app is going to use a certified API ...? What is done at this point? In previous point it was checked whether an app was signed by how is it possible to differentiate between OEM or Marketplace? Does it work only because the device stores OEMs signatures? Or maybe signing has nothing to do with certified API and there's a predefined list of apps that are allowed to use a certified API and it's used when the system is built? That means that one could create a custom Firefox OS version and add his apps of choice that will be able to use certified API. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
