Security/Reviews/APK Factory
Item Reviewed
APK Factory | |||||||||||||
Target |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%); |
ID | Summary | Priority | Status |
---|---|---|---|
896003 | [theme] Support for Synthetic APKs (Fennec / Android) | -- | RESOLVED |
936725 | [SecReview]: APK Factory | -- | RESOLVED |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);
" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively
APK Builder web service
- Two key services:
- Given an Open Web App manifest (or packaged app), produce an Android .apk install file
- Given a list of web app manifests and version numbers, determine which apps are out of date
Status
- Working prototype - https://github.com/jhugman/synth-apks
- Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
- rforbes diagram:
- Prereq: user has to allow install from other stores
- ( corner case - .apks uploaded into Google Play store)
- the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
- Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
- Create Android apps for developers, so we need to create these keys and manage them.
- Dolphin does something similar, they still use their browser to run them.
- You must have Fennec installed, Android Intents are used to launch them
- We're creating private keys and storing them.
- We will tell developers that they can give us their private keys.
storage, management.
- Marketplace will have a UI for developers to update their keys.
- High risk, obvious benefits?
- Keys are per app, not per developer key across all your apps.
- http://developer.android.com/tools/publishing/app-signing.html
- Debug keys - reviewer, developer keys - for ad hoc builds of APKs
- APK Signer - Use solitude again.
- HSM can take many months...
- It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
- Upload dev key -> V2
- Access will be locked down via the marketplace.
(IP Addresss OAuth...)
- Fennec implements mozApps.install -> talks to APK Factory in the demo
- Bundling on the fly can be a scaling detail...
??? confusion around the production plan for the service
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
- Allows apps to show up in process manager as themselves
- Allows for an install experience that users are familiar with
Any security threats already considered in the design and why?
`
Threat Brainstorming
- Are the developers uploading their private key for signing?
- Yes, moved to v2
- Is the Android and Fx app signature checked on install / launch?
- Yes both are checked
- HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
- otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
- Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
- An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
- (AMO may have code or procedures to help here)
- Multiple filenames in the zip file.
- Property "SecReview feature goal" (as page type) with input value "* https://wiki.mozilla.org/User:Clouserw/APKFactorynutshell: run apps on android natively
APK Builder web service
- Two key services:
- Given an Open Web App manifest (or packaged app), produce an Android .apk install file
- Given a list of web app manifests and version numbers, determine which apps are out of date
Status
- Working prototype - https://github.com/jhugman/synth-apks
- Proposed Architecture - https://www.lucidchart.com/documents/view/4262-9680-5285454a-bd0a-4a150a00de40
- rforbes diagram:
- Prereq: user has to allow install from other stores
- ( corner case - .apks uploaded into Google Play store)
- the apps are still web apps with a browser wrapper, this just allows them to be controled as individual processes and have the app name show up appropriatly
- Main concern is Android keys,keys are per-app. You can't update an app if you lose the key.
- Create Android apps for developers, so we need to create these keys and manage them.
- Dolphin does something similar, they still use their browser to run them.
- You must have Fennec installed, Android Intents are used to launch them
- We're creating private keys and storing them.
- We will tell developers that they can give us their private keys.
storage, management.
- Marketplace will have a UI for developers to update their keys.
- High risk, obvious benefits?
- Keys are per app, not per developer key across all your apps.
- http://developer.android.com/tools/publishing/app-signing.html
- Debug keys - reviewer, developer keys - for ad hoc builds of APKs
- APK Signer - Use solitude again.
- HSM can take many months...
- It's possble to sign multiple apps with the same key, to enable priviledged communication (SSO)
- Upload dev key -> V2
- Access will be locked down via the marketplace.
(IP Addresss OAuth...)
- Fennec implements mozApps.install -> talks to APK Factory in the demo
- Bundling on the fly can be a scaling detail...
- Two key services:
- Property "SecReview solution chosen" (as page type) with input value "* Allows apps to show up in process manager as themselves
- Allows for an install experience that users are familiar with" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* Are the developers uploading their private key for signing?
- Yes, moved to v2
- Is the Android and Fx app signature checked on install / launch?
- Yes both are checked
- HSMs to store the keys (like FxOS) - mainly if storing dev's own keys
- otherwise apps are also verified through a separate firefox os app signature (checked by code from firefox.apk/not the application's apk)
- Is it possible to physically separate the two use-cases? Keep the production infrastructure that does the (offline non-realtime) apk building for Marketplace separate from the public web service that developers really only use for testing? Limits attack surface of production infrastructure. Allows for much stricter separation of deployments.
- An exploit in the downloading, processing of a packaged app? Malformed zip file being extracted over a signed file?
- (AMO may have code or procedures to help here)
- Multiple filenames in the zip file." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
Action Item Status | None |
Release Target | ` |
Action Items | |
' |
Re-Review 2013.12.18 Items to be reviewed:
Introduce the Feature
APK Factory Service takes Open Web Apps (OWA) as inputs and gives Android native installers (APKs) as outputs. It synthesizes these android apps by mapping OWA convensions to the Android standards. It uses the Android SDK in a headless server env. The service manages a collection of Java Keystores with certs for signing .apk files. There are two flavors of production:
- There is a dev/reviewer deployment of the service.
- There is a live deployment of the service.
High level architecture: https://github.com/mozilla/apk-factory-service/blob/master/docs/ARCHITECTURE.md
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
If a user has installed Fennec, they can use the Mozilla Marketplace to install Open Web Apps. But what if we could provide a native wrapper? Then users would see no difference between OWA and "native" apps. Use cases: https://wiki.mozilla.org/User:Clouserw/APKFactory https://github.com/mozilla/apk-factory-service/blob/master/docs/ARCHITECTURE.md
What solutions/approaches were considered other than the proposed solution?
Why was this solution chosen?
Any security threats already considered in the design and why?
Threat Brainstorming
Python (M2Crypto) using the HSM (via openssl): https://github.com/mozilla/trunion/tree/master/trunion
Action Items
Who :: What :: By When