FirefoxOS Application Security

Paul Theriault, ptheriault at

Firefox OS Security

This presentation is a web page:

This presentation is also available as a web app for Firefox & FirefoxOS :

  • Firefox OS Introduction
  • Getting started with testing Firefox OS
  • Application Runtime
  • Threats & Controls
Boot-to-Gecko(B2G) = codename for Firefox OS project
Section 1:
Firefox OS Introduction
  • Open Web as a platform for mobile devices
  • All Apps are built with Web technologies (HTML/JavaScript/CSS)
  • New Web APIs to provide native functionality to the web
Project homepage
Firefox OS Components
  • Gaia - User interface
  • Gecko – Browser Runtime
  • Gonk – underlying Linux OS, firmware etc
  • Third-party Apps - HTML/JS/CSS Apps
  • User interface
  • System App
  • Homescreen App
  • Dialer,SMS, email, camera, music and others.
  • Entirely HTML, CSS, JavaScript
  • Application Runtime
  • Basicaly Firefox with new Web APIs without the UI
  • Includes:
    • a networking stack
    • graphics stack
    • layout engine
    • virtual machine (for JS)
    • porting layers
  • Lower-level operating system
  • Linux kernel and HAL (Hardware Abstraction Layer)
  • Open-source lbs: libusb, bluez ...
  • Android libs: GPS, camera ...
Third Party Apps
  • Open Web Apps
  • HTML, JavaScript, CSS
  • Two types:
    • Hosted: website plus a manifest
    • Packaged: static apps delivered in a package format
Getting started with B2G Desktop
Testing Platforms
  • Firefox Nightly
  • B2G Desktop
  • Emulator
  • Device

B2G Desktop recommended for balance of completeness & ease of setup. Emulator closer to actual hardware (used internally as main testing platform)

Steps to get started
  1. Install B2G desktop
Downloads here (windows, mac, linux)
Gaia Hacking (development) Guide
B2G Desktop
  1. Install B2G desktop
  2. Download and build Gaia profile
  3. Load B2G desktop with Gaia profile
Two binaries:
  1. b2g: Wrapper binary that uses built in profile
  2. b2g-bin: The actual b2g binary, use -profile path/to/profile to load a custom profile
B2G Desktop Tips
  • Obviously some APIs don't work (telephony,mobileconnection etc)
  • home key(mac:fn+left): home button, page up:volume up button. page down, volume down:button
  • home + either volume button: toggle source view
  • b2g-bin -jsconsole flag loads the error console
  • b2g-bin --screen 800x600 sets the window size to 800x600 (with)
  • b2g-bin -profile path/to/profile Load a custom profile
Section 2:
mozapp & mozbrowser
Installed Web Apps
  • Website plus a manifest file
  • One app per origin
  • No app store code reviews as they serve no purpose
  • No SSL indicator, no 'accept invalid cert' UI
  • Privileges similar to web content
  • Most native API access mediated through Web Activities
  • Unique origin per app
Privileged Web Apps
  • App consists of an explicit list of assets in a zip package.
  • Authenticated application approved by an app store.
  • Equivalent in functionality and security to apps on other mobile platforms.
  • App is approved by app store after a code review or some equivalent risk management process.
  • New app:// protocol handler e.g app://identifier/path/within/zipfile/file.html
  • app:// is not same-origin with
iframe mozapp attribute
  • Apps run inside mozApp iframes
  • Creates a separate data jar for the App (separate origin)
  • Requires 'embed-webapps' permission (only System App has this)
<iframe mozApp='path/to/manifest'>
Install Apps
Browser API
  • API which allows creation of browser in HTML
  • Browser app loads pages in mozbrowser iframes
  • Browser app has some cross-domain access to the child
  • Prevent frame-busting
  • Require 'browser' permission (privileged apps only)
  • <iframe mozbrowser>
Browser API:
Isolate child content
  • Child is never same-origin with parent (although http:// can't load app:// anyways)
  • In child,
  • Not framed for X-Frame-Options purposes
Browser API:
Implement browser functionality
  • Parent iframe has to perform all function a normal browser would do
  • Cross-origin access
    • Read source
    • Handle certain events: open,alert,navigate...
    • New methods: go, stop, reload, getScreenshot...
Browser API:
<iframe remote>
  • Loads the frame's page in a separate process
  • Permissions enforced on a process basis
  • Support work on app sandboxing
Browser API
Web pages, Web Apps and even the System App itself, are loaded in these mozbrowser iframes.

Rolling your own apps
  1. Copy app template (/gaia/test_apps/template)
  2. Insert your own HTML/Javascript/CSS
  3. Update manifest.webapp
  4. Run make
  5. Run gaia with your updated profile (as described earlier)
Or install someone else's!

Activity: try creating a JavaScript shell app, and running vs,'_blank')
What just happened? (source)
Using Marionette
  • Marionette is a Mozilla project to enable remote automation in Gecko-based projects
  • Server included in debug builds of gecko
  • Python-based client
  • Allow you to connect to gecko instances, inspect objects and execute javascript (firefox, Firefox for Android, firefox OS)
Getting started with Marionette
  1. Getting marionette
  2. Setup guide
  3. Getting started guide
  4. MDN Docs on marionette
    1. Note: Marionette will work with b2g Desktop nightlies, you don't need all of mozilla-central
Pull live HTML from system app
from marionette import Marionette
		marionette = Marionette('localhost', 2828)
		html=marionette.execute_script('return document.\
Inspect Chrome window structure
from marionette import Marionette
marionette = Marionette('localhost', 2828)
html=marionette.execute_script('return window.document.\
Section 3:
Key Security Controls
  • Content types: web, installed, privileged, certified
  • Permission types: implicit, explicit
  • Enumeration vs granting
App Types
  • Web Content
  • Installed Web App – web content which has been installed, but no verification of content
  • Packaged apps
    • Privileged Web App – static web content, reviewed and installed by a trusted app store
    • Certified Web App – static web content, installed by the phone vendor only
Which apps can get Which permissions?
  • Web : Geolocation, Fullscreen
  • Installed Sensor API, Alarm API, FM Radio
  • Privileged : Camera API, Alarm API, TCP Socket, Contacts API, Device Storage API, Browser API, WiFi Information API
  • Certified : Background services, WebSMS, WebTelephony, WebBluetooth, MobileConnection API, PowerManagementAPI, Push Notifications API, Settings API, Permissions API
Implicit Vs Explicit
  • Explicit: User must grant the privilege. Declared in manifest, but granted at runtime.
  • Implicit: Permission granted by virtue of being declared in the manifest. Reviewed by app store.
  • Explicit permissions: Geolocation, Camera, Contacts, Device Storage, Wifi Information, FM Radio
  • SeePermissions Table for complete list.

"permissions": [ "telephony", "voicemail", "contacts", "mobileconnection", "attention", "settings", "desktop-notification" ]

Web Activities
  • Similar to Web Intents
  • User chosen activity handler
  • Apps provide activity handlers
  • Some provide mediated access to sensitive functionality e.g. camera picker
XSS in Privileged Apps
  • Privileged code is static (packaged), but content is not
  • Any content generated from user-input
  • Default CSP policy applied to privileged Apps
Getting help & reporting Bugs

Firefox OS Application Security

Paul Theriault, Mozilla