A packaged app is zip file that contains all the resources that enable an Open Web App to function, along with an app manifest in the zip's root directory. The app manifest provides details about the app such as its description, icons used to identify the installed app and such. The package is then used to install the app to Firefox OS devices, Android devices and desktops. Once installed the app runs on the device, but is still able to access resources on the Web, such as a database on a Web server.
There are three types of packaged apps: web app, privileged app and internal app. While packaged apps can be used to deliver any type of Open Web App, privileged and internal apps are digitally signed to enable the use of privileged and internal (certified) APIs. Privileged apps are signed as part of the Marketplace review process, while internal apps are signed by device manufacturers or operators.
In addition to their ability to use privileged and internal (certified) APIs, packaged apps offer users a faster first start response as all the of the app's resources are available on the device after installation. These feature makes packaged apps the recommended approach for delivering Open Web Apps to Firefox OS devices, Android devices and desktops.
Note: Currently the Firefox Marketplace supports web and privileged packaged apps. In addition, Firefox Marketplace supports paid packaged apps for Firefox OS only and free packaged apps for Firefox OS, Firefox for Android and Firefox for Desktop. Support for paid apps on all platforms is under development.
There are three types of packaged apps: web apps, privileged apps and internal app. Each type of packaged app corresponds to a level of the App Security model implemented in Firefox OS. This section provides more information on each.
A web app is one that doesn't make use of privileged or internal (certified) APIs. When submitted to Marketplace the app's package is signed, but the special authentication process used for privileged or internal apps isn't performed. Web apps therefore cannot use privileged or internal APIs. These apps are not subject to the Content Security Policies (CSPs) required for privileged and internal apps.
This type of packaged app doesn't require the
type field in its
manifest.webapp file, because the default value for
web) is correct.
Note: Web apps may be self-published or distributed through the Firefox Marketplace.
Note: Web apps can also be delivered using the Hosted app mechanism.
A privileged app is one that makes use of privileged APIs and can be considered as the equivalent of a native app on platforms such as iOS and Android. When submitted to the Firefox Marketplace, privileged apps are approved using a special process. This process gives users of the app a level of assurance that the app has been carefully reviewed for potential security, privacy, and capability issues.
To specify that an app is a privileged app, add the
type field to its
manifest.webapp file and set its value to
privileged. Every privileged API your app needs to access must be added to the
permissions field in the app's manifest.
Firefox OS and the Web runtimes for Android and desktops enforces the following CSP for privileged apps:
"default-src *; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'"
Note: Privileged apps may be distributed through the Firefox Marketplace only.
The creation of Internal apps is generally not available for third-party developers and aren't distributed through the Firefox Marketplace. The long term goal for APIs available to Internal apps is to harden them, so they can be made available as privileged APIs. If you've an interest in seeing a particular API made available, please provide feedback on the dev-webapps mailing list.
An internal app is one that makes used of internal (certified) APIs. These APIs offer access to critical system function such as the default dialer or the system settings app on a device. Compared to to a privileged app, all API permissions in an internal app are implicit, meaning they are enabled without explicit user approval. An internal app must be approved for a device by the OEM or carrier.
To specify that an app is an internal app, add the
type field to its
manifest.webapp file and set it to
certified. Every privileged and internal API your app needs to access must be added to the
permissions field in the app's manifest.
Firefox OS implements the following CSP for internal apps:
"default-src *; script-src 'self'; object-src 'none'; style-src 'self'"
Note: Internal apps are preloaded onto devices by OEMs and operators; they are not distributed in any other way.
Note: You may sometimes see internal apps referred to as certified apps, a term commonly used within Mozilla, OEMs and carriers.
Testing packaged apps
To install a packaged app into a Firefox OS Simulator or onto a device for testing purposes, see Using the App Manager. Alternatively, you can install it on to a device from a Web server by following the steps described in Publishing apps yourself. Remember that when you publish apps yourself, packaged web apps only can be installed .
Publishing packaged apps
You have two options for publishing packaged apps: on Firefox Marketplace or self-publishing.
Publishing on Firefox Marketplace
The process for submitting a packaged app to Firefox Marketplace is described in the App Publishing section.
When you submit your packaged app, its zip file is stored on the Marketplace servers, and the Marketplace generates a new manifest called the mini-manifest that is based on the app manifest in your packaged app's zip file. When a user installs your app, the mini-manifest is passed to the
Apps.installPackage() function to install the app. The mini-manifest exists for installation and update purposes and isn't used when your app runs.
It's possible to publish packaged web apps outside Firefox Marketplace, on your own web server. Details are provided in Publishing apps yourself.
Updating packaged apps
For information on updating apps, see Updating apps.