I'm not sure phishing works in a phone. There is no password. Yes, an app could put up a display that looks like the Permissions Manager app. Yes, the user could touch whatever controls would grant permissions. No, the permissions would not change. No an app can't modify the display of the Permissions Manager app. No passwords are entered, I'm not sure what the malicious app is phishing for. Can you give an example of what it might be doing? Note that this doesn't mean phishing can't occur. An app could look like my bank app if I loaded it from an untrusted source. But it doesn't need any permission besides connecting to it's server to phish in this case. Another note. I suspect we may allow someone to deliver a "Better Permissions Manager". I would think this would be the kind of app that would want LOTS of inspection before being granted any permissions. And the only permission it should be granted is "Can modify permissions". I might go so far as enforce that in the actual code that implements the permissions management. I would also not allow for Permissions Management to be set to "Deny Always". Otherwise you could be locked out of your device.
On Mar 15, 2012, at 6:21 PM, lkcl luke wrote: > On Thu, Mar 15, 2012 at 10:00 PM, Jim Straus <[email protected]> wrote: >> I'm not sure an app can effectively bully the user. > > [....] > >> An app COULD complain to the user if they are denied access and try to get >> them to go to the Permissions Manager app, but I suspect any app that was so >> abusive would be deleted very quickly. > > ok, that was the answer i was looking for. if that's reasonable to > rely on that happening, then that's ok. > > is the more subtle case worth considering? say... the app putting > up instructions to the user on how to change the permissions, and > making it look like part of the OS? phishing attacks, basically. > > i'm not clutching at straws with this, i'm just being thorough. > > l. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
