Security Testing on Firefox OS
This guide is aimed at security testers wanting to start security testing on Firefox OS, to help community members audit Apps and the Firefox OS platform itself. If you haven't already, start by reading the Firefox OS Security Overview - this will provide a basic background in the the terminology and architecture discussed below.
This guide covers the following techniques:
- Getting started with a desktop build of Firefox OS
- Using Marionette to inspect and control Apps running on Firefox OS
- Modifying Gaia: how to run B2G desktop with a custom profile
- How to create and install your own App (or modify the pre-installed Gaia Apps)
- Intercepting traffic using a proxy
All of our testing will happen against b2g-desktop, a native Firefox OS built for your desktop computer. Start downloading your flavor of nightly build (Linux, Mac OS, Windows) before you read on.
Getting started with b2g-desktop
Okay, did you already download your flavor of nightly build (Linux, Mac OS, Windows)? Then let's go.
Setting up b2g-desktop is as simple as extracting the archive and running the b2g binary:
tar xf b2g-something-something.tar.bz2 cd b2g ./b2g
Open the .dmg file, and copy it to your /Applications directory. Once copied, launch b2g-desktop by clicking the b2g.app icon. Alternatively you can launch it from terminal as follows:
Download and extract the zip file to a convenient location. Double-click on b2g.exe to start b2g-desktop.
At the time of writing, there is an issue running b2g-desktop on windows. You might be able to try the Firefox OS simulator instead.
Getting started tips
You can now play with a Firefox OS in a desktop window. Go play around: Open the browser (lower right window) and visit a web page, try opening a few apps. You will notice that some device specific functionality, such as the dialer, camera, radio etc wont work for obvious reasons.
Make yourself comfortable with b2g-desktop. The key bindings are as follows:
- Home button: Home key (Mac: function + left )
- Power button: End key (Mac: function + right )
- Volume button: Page Up/Down keys (Mac: function + up/down )
- Open Cards View: long press to Home key
Setting up b2g-desktop with marionette is as easy as a pie, just make it that your b2g profile (like in the Firefox browser, all user settings are stored within a profile) has marionette enabled:
To do so, add the following line to your prefs.js file in gaia/profile/.
This will enable marionette-debugging to listen on port 2828 and allow the installed client to connect. This will suffice to get started, but if you want to know more look at the full Marionette docs at MDN. After we have enabled marionette-debugging, restart the b2g binary. You will see no difference in the b2g window, but it is already listening on port 2828.
For our example, we wil to remote-control the Browser App. Start it by clicking the browser icon in the b2g home screen's lower right with your mouse. Is the b2g binary showing the browser App? Good, here we go debugging it:
$ python fxos-reply.py list app://homescreen.gaiamobile.org/index.html#root app://browser.gaiamobile.org/index.html app://keyboard.gaiamobile.org/index.html
Aha, these are the running Apps and their URIs.
Now let's connect to the browser App, and investigate:
$ python fxos-reply.py connect app://browser.gaiamobile.org/index.html Connected to app://browser.gaiamobile.org/index.html
Let's use the querySelector API to find a
<menu> tag with
id="toolbar-start" and view it's HTML:
>>> document.querySelector("menu#toolbar-start").outerHTML <menu type="toolbar" id="toolbar-start"> <form id="url-bar" novalidate=""> <input id="ssl-indicator" value="" type="image"> <input id="url-input" placeholder="Enter search or address" data-l10n-id="enter-search-or-address" x-inputmode="verbatim" type="text"> <input style="background-image: url("style/images/go.png");" id="url-button" value="" type="image"> </form> <span id="tabs-badge">1<span id="more-tabs">›</span></span> <button id="awesomescreen-cancel-button"></button> <div id="throbber"></div> </menu>
Does it look familiar? It's the toolbar that contains the address bar and the New Tab button.
Let's click this button! It's
The New Tab UI should show now! Let's try something else:
Now go, play!
Running a modified version of Gaia
In the previous activity, we ran b2g-desktop with a pre-installed version of the Firefox OS front-end or Gaia. A useful exercise to better understand FirefoxOS is to download and run your own version of Gaia. This provides two things:
- Source code to all of the pre-installed applications so your can peer under the hood
- Allows you to make changes and edit preferences, which is needed to get other testing tools working
Prerequesites to complete this excercise: git, make
Downloading and building Gaia
First need to download Gaia, and then build it, which builds a profile which you can load with b2g desktop. This can be achieved with the following commands:
Warning: building Gaia the first time requires downling xul-runner, which is approx. 500mb.
$ git clone https://github.com/mozilla-b2g/gaia $ cd gaia $ make
Load B2G desktop using the new profile
B2G Desktop comes with two main executables: b2g and b2g-bin: we want the latter, as this allows us to specify command line arguments.
Load the b2g executable, supplying the -profile option with the path to the gaia location
$ b2g-bin -profile /path/to/gaia/profile
On a Mac the command to launch from the gaia directory:
$ /Applications/B2G.app/Contents/MacOS/b2g-bin -profile `pwd`/profile
Assuming it all works, you should see the lock screen:
<placeholder for gaia screenshot>
- Useful switches when running b2g:
- Launch B2G desktop with a specific screen resolution: --screen (e.g. --screen 800x600)
- Enable the error console: -jsconsole (note the single - )