> > >There _is_ a more powerful capability that we may want to have available > to > >a small handful of apps: "turn on the camera at some indefinite time in > the > >future, without user interaction at the time". The only use case I can > >think of for that is an anti-device-theft system (turn on the camera, GPS, > >etc. remotely and try to figure out where the device is - I understand > >iPhones can do this), and maybe that should just be built into the TCB > >rather than being an add-on. But this does point at a general hole in the > >implicit authorization model: you can't use it to grant authorization to > do > >something under programmatic conditions at some time in the future. Maybe > >there could be a special scheduler powerbox for that, though. > > That need is exactly what some WebRTC apps need (think VoIP-like > service - replacement for Skype, Google Hangouts where you want a > user-controlled/styled answer/call/etc buttons - you get the idea). >
There definitely are some very powerful applications that don't fit into the model; anti-theft is a great example. Anti-theft apps also want to do things like delete all your data, delete all your other apps, record without permission, etc. However, these are uncommon applications that should be handled differently than Instagram. (Also, I certainly am not suggesting that built-in applications should be subject to the same requirements as third-party applications.) > Users will not want to go through a security request on each call, I agree with this completely. Users hate going through security requests. Pressing a recognizable button that means "start video" or "take photo" is not a security request from the user's perspective, though. > app developers will not want to have "fixed" call/end buttons they can't > style (and I don't think this works anyways, at least not well enough to > consider). > Most applications use generic iconography because it's in the developer's best interest to use clearly-recognizable buttons. It lets users figure out how to use the app quickly. Having a standard trusted button helps towards the goal of easy-to-use applications. A trusted button could be slightly customizable to help it fit into certain color schemes but still have a recognizable shape and icon. Secondly, app developers' desires are not always directly in line with users' best interests. Wanting to have slightly more rounded edges on a button is a tiny complaint, not a functionality issue. There are lots of things app developers will complain about. For example, many iOS developers would love to be able to sell users' location without the constraint that the app has to actually provide location-based services in order to collect location data. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
