Este documento mostra uma visão geral sobre o framework de segurança do Mozilla Firefox OS, do qual é desenhado para proteger dispositivos móveis das ameaças para a plataforma, apps e dados pessoais. No Firefox OS a fundação Mozilla implementou uma arquitetura bem simplificada, segurança , de várias camadas que traz maior segurança aos donos de dispositivos móveis.
Segurança da plataforma
A segurança do Firefox OS é baseado em vários modelos de camadas, tais camadas de segurança é desenhada para bloquear qualquer tentativa de falha. As medidas de combate da linha de frente é combinada com uma forte estratégia que provê total proteção para qualquer ameaça.
O Firefox OS conecta-se as aplicações web através de sua arquitetura simplificada de hardware, combinando com suas camadas de proteção, cada camada corresponde a um nível de abstração que o protege de qualquer risco, como todas são integradas, esse é o esquema de níveis de cada uma delas:
O dispositivo móvel representa um aparelho inteligente rodando o Firefox OS. Gonk consiste basicamente de um kernel do Linux, bibliotecas, firmwares e drivers do dispositivo como a camera, microfone, etc.
Gecko é a camada de execução de suas aplicações, onde tudo é rodado, desde o navegador até suas apps, assim como acesso as APIs Web, que usam a API para deixar você acessar a Camera, Microfone, Acelerometro.
Gecko é o segurança da plataforma, ele é quem decide o que pode e o que não pode rodar, baseado no esquema de política de segurança aplicada ao Firefox OS, garantindo sempre o bom uso da plataforma tanto para os usuários quanto para desenvolvedores, afastando os usos indevidos da platforma. A camada do Gecko comporta-se como um intermediador entre uma App(Gaia) e o Firefox OS.
Por exemplo se sua App requer acesso a camera, o Gaia requisita, o Gecko verifica se existe permissão, aprovando a permissão ele repassa a informação ao Gonk que entrega o acesso direto ao Gecko.
Todas as funções de hardware do dispositivo são só entregues pelo acesso as APIs Web, não existe jeitinho para tal ou "porta dos fundos". Isso garante segurança ao usuário que irá utilizar sua App.
Implantação de um sistema seguro
Firefox OS já vem instalado em um telefone inteligente (smartphones). A imagem original mais conhecida como ROM é gerada por uma fonte conhecida e segura que possui parcerias de OEM com a Mozilla. Os distribuidores dos smartphones OEM, geralmente eles montam o dispositivo, criam, testam e assinam digitalmente o pacote de distribuição.
As medidas de segurança são usadas em todos os níveis de tecnologia. Privilégios de sistema de arquivo são aplicadas por listas de controle de acesso do Linux (ACLs). Aplicativos do sistema são instalados em um volume que é somente leitura (exceto durante as atualizações, quando é temporariamente leitura e escrita). Apenas as áreas que contenham conteúdo do usuário pode ser de leitura e escrita. Vários componentes do hardware do dispositivo têm embutido proteções que são implementados por padrão como uma prática padrão da indústria. Fabricantes de chipsets, por exemplo, utilizar técnicas de endurecimento para reduzir vulnerabilidades. A plataforma central (Gecko e Gonk) é endurecida para reforçar a sua defesa contra ameaças potenciais, e as características de endurecimento do compilador são usadas quando aplicável. Para mais detalhes, consulte Runtime security.
Secure System Updates
Subsequent upgrades and patches to the Firefox OS platform are deployed using a secure Mozilla process that ensures the ongoing integrity of the system image on the mobile phone. The update is created by a known, trusted source – usually the device OEM – that is responsible for assembling, building, testing, and digitally signing the update package.
System updates can involve all or a portion of the Firefox OS stack. If changes to Gonk are included in the update, then FOTA (Firmware Over the Air) is the install process used. FOTA updates can also include any other part of the Firefox OS stack, including device management (FOTA, firmware / drivers), settings management (Firefox OS settings), security updates, Gaia, Gecko, and other patches.
Updates that do not involve Gonk can be done using the Mozilla System Update Utility. Firefox OS uses the same update framework, processes, and Mozilla ARchive (MAR) format (used for update packages) as the Firefox Desktop product. For more information, see https://wiki.mozilla.org/Software_Update.
A built-in update service – which may be provided by the OEM – on the mobile phone periodically checks for system updates. Once a system package becomes available and is detected by the update service, the user is prompted to confirm installation. Before updates are installed on the mobile device, the device storage is checked for sufficient space to apply the update, and the distribution is verified for:
- update origin (verify the source location protocol:domain:port of the system update and manifest)
- file integrity (SHA-256 hash check)
- code signature (certificate check against a trusted root)
Os procedimentos de segurança abaixo são usados no processo de atualizar:
- Mozilla recommends and expects that updates are fetched over an SSL connection.
- Strong cryptographic verification is required before installing a firmware package.
- The complete update must be downloaded in a specific and secure location before the update process begins.
- The system must be in a secure state when the update process starts, with no Web apps running.
- The keys must be stored in a secure location on the device.
Rigorous checks are in place to ensure that the update is applied properly to the mobile phone.
Firefox OS uses a defense-in-depth security strategy to protect the mobile phone from intrusive or malicious applications. This strategy employs a variety of mechanisms, including implicit permission levels based on an app trust model, sandboxed execution at run time, API-only access to the underlying mobile phone hardware, a robust permissions model, and secure installation and update processes. For technical details, refer to: Application security.
Firefox OS limits and enforces the scope of resources that can be accessed or used by an app, while also supporting a wide range of apps with varying permission levels. Mozilla implemented tight controls over what type of applications can access which APIs. For example, only certified apps (shipped with the phone) can have access to the Telephony API. The Dialer app has privileges to access the Telephony API in order to make phone calls, but not all certified apps can access this API. This prevents a scenario, for example, in which an arbitrary third-party app gets installed, dials a pay-per-use phone number (900 and 910), and racks up a large cell phone bill. However, other OEM apps might be selectively given access to the Telephony API. For example, an Operator might provide a systems management application that allows a customer to manage their account, including the ability to phone the Operator’s billing or support office directly.
Apps confiáveis e não confiáveis
Firefox OS organiza os apps em categorias de a acordo com os seguintes tipos:
Nível de confiança
System apps that have been approved by the Operator or OEM (due to risk of device corruption or risk to critical functionality). System apps and services only; not intended for third-party applications.
Third-party apps that have been reviewed, approved, and digitally signed by an authorized Marketplace.
Web (everything else)
Regular web content. Includes both installed apps (stored the mobile phone) and hosted apps (stored remotely, with only an app manifest stored on the mobile phone). The manifest for hosted apps can be obtained through a Marketplace.
An application’s trust level determines, in part, its ability to access mobile phone functionality.
- Certified apps have permissions to most Web API operations.
- Privileged apps have permissions to a subset of the Web API operations accessible to Certified apps.
- Untrusted apps have permissions to a subset of the Web API operations accessible to Privileged apps. These are only those Web APIs that contain sufficient security mitigations to be exposed to untrusted web content.
Some operations, such as network access, are assumed to be an implicit permission for all apps. In general, the more sensitive the operation (for example, dialing a phone number or accessing the Contacts list), the higher the app trust level required to execute it.
Princípio de poucas permissões
For web apps, the Firefox OS security framework follows the principle of least permissions: start with the absolute minimum permissions, then selectively grant additional privileges only when required and reasonable. By default, an app starts with very low permissions, which is comparable to untrusted web content. If the app makes Web API calls that require additional permissions, it must enumerate these additional permissions in its manifest (described later in this document). Gecko will consider granting Web API access to an application only if the applicable privileges are explicitly requested in its manifest. Gecko will grant the requested permission only if the type of the Web App (certified, trusted, or web) is sufficiently qualified for access.
Processo de revisão para Apps privilegiadas no Marketplace
In order for an app to become privileged, the app provider must submit it for consideration to an authorized Marketplace. The Marketplace subjects the app to a rigorous code review process: verifying its authenticity and integrity, ensuring that requested permissions are used for the purposes stated (in the permission rationale), verifying that the use of implicit permissions is appropriate, and validating that any interfaces between privileged app content and unprivileged external content have the appropriate mitigations to prevent elevation of privilege attacks. The Marketplace has the responsibility to ensure that the web app will not behave maliciously with the permissions that it is granted.
After an app passes this review, it is approved for use, its app manifest is digitally signed by the Marketplace, and it is made available for mobile users to download. The signature ensures that, if the web store were somehow hacked, the hacker could not get away with installing arbitrary content or malicious code on users’ phones. Due to this vetting process, Firefox OS gives privileged apps obtained from a Marketplace a higher degree of trust than everyday (untrusted) web content.
Apps empacotadas e Hospedadas
Apps for Firefox OS can be either packaged (stored on the mobile phone) or hosted (stored on a remote web server, with just a manifest stored on the mobile phone). There are some differences in the way in which security is managed for each. Nonetheless, packaged and hosted apps are both subject to application sandboxing, which is described later in this document.
To refer to app resources in a packaged app, the URL begins with app: using the following format:
where app:// represents the mount point for the ZIP file, and identifier is a UUID that is generated when the app is installed on the mobile phone. This mechanism ensures that resources referred to with an app: URL are contained in the ZIP file. The path within an app: is relative, so relative links to resources in the ZIP file are allowed.
While packaged apps are primarily intended to be used for Certified or Privileged apps, regular web apps can also be packaged. However, they do not gain any increase in trust or permissions access simply because they are packaged.
Hosted apps are located on a web server and loaded via HTTP. Only the app manifest is stored on the mobile phone. Everything else is stored remotely. Certain APIs are available only to privileged and certified apps, which requires the app to be packaged due to signing requirements. Therefore, a hosted app will not have access to any of the Web APIs operations that require privileged or certified app status.
From a security point of view, hosted apps work very much like normal websites. A hosted app is loaded by invoking a hard-coded, fully-qualified URL that points to the startup page in the root directory of the app on that web server. Once a hosted app is loaded, the mobile phone links to pages using the same URLs that are used when browsing the web site.
Manifesto da App ( App Manifest)
An Open Web App manifest contains information that a Web browser needs in order to interact with an app. A manifest is a JSON file with (at a minimum) a name and description for the app. For further details, refer to FAQs about app manifests.
Exemplo de manifesto
The following code listing shows an example manifest with just basic settings:
Configuraçòes de segurança no manifesto da App
The manifest can also contain other settings, including the following security settings:
Permissions required by the app. An app must list every Web API it intends to use that requires user permission. Most permissions make sense for privileged apps or certified apps, but not for hosted apps. Properties per API:
Origin of the app. Array of origins (scheme+unique hostname) that are allowed to trigger installation of this app. Allows app providers to restrict installs from only an authorized Marketplace (such as https://marketplace.firefox.com/).
Content Security Policy (CSP). Applied to all pages loaded in the app. Used to harden the app against bugs that would allow an attacker to inject code into the app. If unspecified, privileged and certified apps have system-defined defaults. Syntax:
Note that this directive can only increase the CSP applied. You cannot use it, for example, to reduce the CSP applied to a privileged App.
Type of application (web, privileged, or certified).
Firefox OS requires that the manifest be served with a specific mime-type ("application/x-web-app-manifest+json") and from the same fully-qualified host name (origin) from which the app is served. This restriction is relaxed when the manifest app (and thus the app manifest) is same-origin with the page that requested the app to be installed. This mechanism is used to ensure that it's not possible to trick a website into hosting an application manifest.
Execução na caixinha de areia
This section describes application and execution sandboxes.
Aplicativo na caixinha de areia
The Firefox OS security framework uses sandboxing as a defense-in-depth strategy to mitigate risks and protect the mobile phone, platform, and data. Sandboxing is a way of putting boundaries and restrictions around an app during run-time execution. Each app runs in its own worker space and it has access only to the Web APIs and the data it is permitted to access, as well as the resources associated with that worker space (IndexedDB databases, cookies, offline storage, and so on). For details, see https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security/Security_model.
The following figure provides an overview of this security model.
By isolating each app, its impact is contained within its own worker space. It cannot interfere with anything (such as other apps or their data) outside of that worker space.
Caixinha de areia para execução
B2G (Gecko) runs in a highly-privileged system process that has access to hardware features in the mobile phone. At run-time, each app runs inside an execution environment that is a child process of the B2G system process. Each child process has a restricted set of OS privileges – for example, a child process cannot directly read or write arbitrary files on the file system. Privileged access is provided through Web APIs, which are mediated by the parent B2G process. The parent ensures that, when a child process requests a privileged API, it has the necessary permission to perform this action.
Apps communicate only with the B2G core process, not with other processes or apps. Apps do not run independently of B2G, nor can apps open each other. The only “communication” between apps is indirect (for example, when a listener process detects an event generated by some other process), and is mediated through the B2G process.
Hardware só é acesso pelas APIs Web
Web apps have only one entry point to access mobile phone functionality: the Firefox OS Web APIs, which are implemented in Gecko. Gecko provides the sole gateway to the mobile device and underlying services. The only way to access device hardware functionality is to make a Web API call. There is no “native” API and there are no other routes (no “back doors”) to bypass this mechanism and interact directly with the hardware or penetrate into low-level software layer.
Infra estrutura de segurança
The following figure shows the components of this security framework:
- Permission Manager: Gateway to accessing functionality in the Web API, which is the only access to the underlying hardware.
- Access Control List: Matrix of roles and permissions required to access Web API functionality.
- Credential Validation: Authentication of apps/users.
- Permissions Store: Set of privileges required to access Web API functionality.
Gerenciamento de permissões e reforços
Firefox OS security is designed to verify and enforce the permissions granted to web apps.
The system grants a particular permission to an app only if the content requests it, and only if it has the appropriate permissions requested in the app’s manifest. Some permissions require further authorization from the user, who is prompted to grant permission (as in the case of an app requesting access to the user’s current location). This app-centric framework provides more granular control over permissions than traditional role-centric approaches (in which individual roles are each assigned a set of permissions).
A given Web API has a set of actions and listeners. Each Web API has a required level of permission. Every time a Web API is called, Gecko checks permission requirements (role lookup) based on:
- permissions associated with calling app (as specified in the manifest and based on the app type)
- permissions required to execute the requested operation (Web API call)
If the request does not meet the permission criteria, then Gecko rejects the request. For example, untrusted apps cannot execute any Web APIs that are reserved for trusted apps.
Requisitando permissão do usuário
In addition to permissions that are implicitly associated with the web apps, certain operations require explicit permission from the user before they can be executed. For these operations, web apps are required to specify, in their manifest, their justification for requiring this permission. This data usage intention informs users about what the web app intends to do with this data if permission is granted, as well as any risk involved. This allows users to make informed decisions and maintain control over their data.
Processo seguro de atualização da App
For app upgrades and patches to a privileged app, app providers submit the updated package to an authorized Marketplace, where it is reviewed and, if approved, signed and made available to users. On Firefox OS devices, an App Update Utility periodically checks for app updates. If an update is available, then the user is asked whether they want to install it. Before a update is installed on the mobile device, the package is verified for:
- update origin (verify the source location protocol:domain:port of the update and manifest)
- file integrity (SHA-256 hash check)
- code signature (certificate check against a trusted root)
Rigorous checks are in place to ensure that the update is applied properly to the mobile phone.
The complete update package must be downloaded in a specific and secure location before the update process begins. Installation does not overwrite any user data.
Segurança do dispositivo (Hardware)
Security mechanisms for the mobile device hardware are typically handled by the OEM. For example, an OEM might offer SIM (Subscriber Identity Module) card locks, along with PUK (PIN Unlock Key) codes to unlock SIM cards that have become locked following incorrect PIN entries. Contact the OEM for details. Firefox OS does allow users to configure passcodes and timeout screens, which are described in the next section.
Segurança de dados
Users can store personal data on their phone that they want to keep private, including contacts, financial information (bank & credit card details), passwords, calendars, and so on. Firefox OS is designed to protect against malicious apps that could steal, exploit, or destroy sensitive data.
Código de bloqueio e expiração das telas
Firefox OS allows users to set a passcode to their mobile phone so only those who supply the passcode can use the phone. Firefox OS also provides a timeout screen that is displayed after a configurable period of phone inactivity, requiring passcode authentication before resuming use of the phone.
As described earlier, apps are sandboxed at run time. This prevents apps from accessing data that belongs to other apps unless that data is explicitly shared, and the app has sufficient permissions to access it.
Web apps do not have direct read and write access to the file system. Instead, all access to storage occurs only through Web APIs. Web APIs read from, and write to, storage via a an intermediary SQLite database. There is no direct I/O access. Each app has its own data store, which is serialized to disk by the database.
When a user uninstalls an app, all of the data (cookies, localStorage, Indexeddb, and so on) associated with that application is deleted.
Firefox OS implements these principles by putting the control of the user data in the hands of the user, who gets to decide where this personal information goes. Firefox OS provides the following features:
- Do Not Track option
- ability to disable Firefox browser cookies
- ability to delete the Firefox OS browsing history