Please fill in the "Overview" section of the proposal template.
To unsubscribe from this group and stop receiving emails from it, send an email to apps-dev+u...@chromium.org.
I'm just curious, but why is this kiosk only? It seems like something that would be useful for Chrome apps generally, with the appropriate permissions model.
Why Chrome only? I understand that you've namespaced it under chrome.fileSystem, but the model could easily extend to the larger web, again, with the right permissions. It looks like it could fit well with the web FileSystem APIs. (We've done just that for Cordova, to access device removable storage from hybrid apps).
Is it just to be able to implement this quickly, in a small sandbox, or is the intention that this API is always and forever just for Chrome kiosk apps?
Can't chrome.mediaGalleries be used to get access to all external
media automatically? Why does there need to be an additional API?
>> email to apps-dev+unsubscribe@chromium.org.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to apps-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to apps-dev+u...@chromium.org.
On Thu, Jan 8, 2015 at 3:56 PM, 'Tomasz Mikolajewski' via Security
Enamel <securit...@chromium.org> wrote:
> We *will* have an install warning clearly saying that the kiosk app will
> have an unlimited access to all connected removable devices. It's mentioned
> in the doc.
You're asking users to make a critical decision at a time when they
have no context and no way to understand, viscerally, the value
proposition and risk.
Thinking that way inevitably leads to:
> If it's not enough, we could think about adding a light confirmation dialog.
No, usable security is not about carefully tuning annoyance factors.
It's about empowering people to make relevant and informed decisions
about who or what to trust, and how much, and when.
> The second solution adds quite a lot of complexity to the API
> implementation, so if a simple install warning is fine, then I'd prefer to
> just go with it instead.
Experience with Android shows that granting permanent ambient
authority at a time when the user doesn't understand the grant is a
non-starter, and a great way to damage a product's reputation.
So, what it is that makes kiosk mode incompatible with choosers?
Forgive my ignorance; I don't have much experience with kiosk mode.
(I.e. I tried it out for the first time for 1 minute just now. :) )
On 10 January 2015 at 08:30, Chris Palmer <pal...@google.com> wrote:On Thu, Jan 8, 2015 at 3:56 PM, 'Tomasz Mikolajewski' via Security
Enamel <securit...@chromium.org> wrote:
> We *will* have an install warning clearly saying that the kiosk app will
> have an unlimited access to all connected removable devices. It's mentioned
> in the doc.
You're asking users to make a critical decision at a time when they
have no context and no way to understand, viscerally, the value
proposition and risk.
Thinking that way inevitably leads to:
> If it's not enough, we could think about adding a light confirmation dialog.
No, usable security is not about carefully tuning annoyance factors.
It's about empowering people to make relevant and informed decisions
about who or what to trust, and how much, and when.What's wrong with a confirmation dialog? It clearly asks the user whether he wants to grant access to the extension which is running once the extension requests it. Isn't it a well informed decision? Is your concern about persistency? We already allow that with chrome.filesystem.retainEntry, but only for entries, not file systems. Also, it's not really pesistent, as user can always unplug the usb drive to revoke the granted permission.
> The second solution adds quite a lot of complexity to the API
> implementation, so if a simple install warning is fine, then I'd prefer to
> just go with it instead.
Experience with Android shows that granting permanent ambient
authority at a time when the user doesn't understand the grant is a
non-starter, and a great way to damage a product's reputation.
So, what it is that makes kiosk mode incompatible with choosers?
Forgive my ignorance; I don't have much experience with kiosk mode.
(I.e. I tried it out for the first time for 1 minute just now. :) )
Some examples which do not work well with choosers:1. Kiosk apps showing movies from the kiosk's usb hard disk.
2. Picture printing booths (famous in Japan). Inserting a device is already a user action. Asking user to additionally choose the device from a list is an overkill from the user perspective.
Asking a user to choose a device from a list may be very confusing for an average user, as USB drive names are confusing. For MTP it's easier as we can show the Device model name. Still my mom doesn't know what's her phone's model number, so she wouldn't know what to choose in the chooser dialog. That's why instead of a choose I'd rather go with a confirmation dialog.
One more important thing is that kiosks may not have any user input device. In such case both - choosers and confirmation dialogs will not work out.
To my understanding (and I'm happy to be corrected here), kiosk mode is a part of the manifest that an app developer gets to write. Thus, we should assume that all malicious apps that are created will turn it on if it provides magical powers that they can't otherwise get.Since filesystems and devices are otherwise extremely carefully guarded by our APIs, this is precisely the kind of additional power that a malicious app is likely to want to get access to. So not having a chooser for devices and/or filesystems is a non-starter.
On Fri Jan 09 2015 at 6:28:49 PM Tomasz Mikolajewski <mto...@chromium.org> wrote:On 10 January 2015 at 08:30, Chris Palmer <pal...@google.com> wrote:On Thu, Jan 8, 2015 at 3:56 PM, 'Tomasz Mikolajewski' via Security
Enamel <securit...@chromium.org> wrote:
> We *will* have an install warning clearly saying that the kiosk app will
> have an unlimited access to all connected removable devices. It's mentioned
> in the doc.
You're asking users to make a critical decision at a time when they
have no context and no way to understand, viscerally, the value
proposition and risk.
Thinking that way inevitably leads to:
> If it's not enough, we could think about adding a light confirmation dialog.
No, usable security is not about carefully tuning annoyance factors.
It's about empowering people to make relevant and informed decisions
about who or what to trust, and how much, and when.What's wrong with a confirmation dialog? It clearly asks the user whether he wants to grant access to the extension which is running once the extension requests it. Isn't it a well informed decision? Is your concern about persistency? We already allow that with chrome.filesystem.retainEntry, but only for entries, not file systems. Also, it's not really pesistent, as user can always unplug the usb drive to revoke the granted permission.I guess I don't really know what you mean by a confirmation dialog. Can you explain precisely what you mean, because you're initial description sounds a lot like an install prompt which, as palmer@ said, is no good.
ÂÂ
> The second solution adds quite a lot of complexity to the API
> implementation, so if a simple install warning is fine, then I'd prefer to
> just go with it instead.
Experience with Android shows that granting permanent ambient
authority at a time when the user doesn't understand the grant is a
non-starter, and a great way to damage a product's reputation.
So, what it is that makes kiosk mode incompatible with choosers?
Forgive my ignorance; I don't have much experience with kiosk mode.
(I.e. I tried it out for the first time for 1 minute just now. :) )
Some examples which do not work well with choosers:1. Kiosk apps showing movies from the kiosk's usb hard disk.I don't understand why this wouldn't work with a chooser.
2. Picture printing booths (famous in Japan). Inserting a device is already a user action. Asking user to additionally choose the device from a list is an overkill from the user perspective.I disagree with your statement that it's overkill, especially if we grant the chooser the usual filesystem type of chooser where the user can grant permission to only a subset of the filesystem.
Asking a user to choose a device from a list may be very confusing for an average user, as USB drive names are confusing. For MTP it's easier as we can show the Device model name. Still my mom doesn't know what's her phone's model number, so she wouldn't know what to choose in the chooser dialog. That's why instead of a choose I'd rather go with a confirmation dialog.We can abstract that away in other ways by calling it things like "USB 1", "USB 2", etc. Admittedly, that's a terrible set of example names, but I haven't thought too hard about it :-)
One more important thing is that kiosks may not have any user input device. In such case both - choosers and confirmation dialogs will not work out.I agree that's problematic (although I've personally never seen a kiosk that has *no* user input, even a touch screen), but again, since kiosk mode is something apps can turn on at a whim, that's unfortunately going to have to be a the case.
Let me be very explicit here about what our (the security team's) conditions are:
- Having an install warning/prompt is not an acceptable solution. They are ineffective in general, and it will cause great user surprise to all of a sudden have a file system API that they don't give permission to (but is granted automatically). We should all act as if users never read the install prompts because all evidence points to that being the case.
- A run-time chooser solution is the only security team approved mechanism for files, folders, or filesystem access in Chrome.
I think this discussion is getting too detailed and we need to back up a bit and discuss a more general topic. I've started a new thread to discuss the security model of kiosk mode.
On Sun Jan 11 2015 at 5:36:39 PM Tomasz Mikolajewski <mto...@chromium.org> wrote:On 11 January 2015 at 14:28, Joel Weinberger <j...@chromium.org> wrote:To my understanding (and I'm happy to be corrected here), kiosk mode is a part of the manifest that an app developer gets to write. Thus, we should assume that all malicious apps that are created will turn it on if it provides magical powers that they can't otherwise get.Since filesystems and devices are otherwise extremely carefully guarded by our APIs, this is precisely the kind of additional power that a malicious app is likely to want to get access to. So not having a chooser for devices and/or filesystems is a non-starter.I agree, however don't forget that this access would be given to kiosk apps which are executed in *kiosk session* only. Apps running normally from the launcher, wouldn't get that access even if they are marked as "kiosk_enabled" in the manifest. It is not easy to run apps in kiosk session, and actually I don't see much reason for normal users to use the kiosk session.
ÂOn Fri Jan 09 2015 at 6:28:49 PM Tomasz Mikolajewski <mto...@chromium.org> wrote:On 10 January 2015 at 08:30, Chris Palmer <pal...@google.com> wrote:On Thu, Jan 8, 2015 at 3:56 PM, 'Tomasz Mikolajewski' via Security
Enamel <securit...@chromium.org> wrote:
> We *will* have an install warning clearly saying that the kiosk app will
> have an unlimited access to all connected removable devices. It's mentioned
> in the doc.
You're asking users to make a critical decision at a time when they
have no context and no way to understand, viscerally, the value
proposition and risk.
Thinking that way inevitably leads to:
> If it's not enough, we could think about adding a light confirmation dialog.
No, usable security is not about carefully tuning annoyance factors.
It's about empowering people to make relevant and informed decisions
about who or what to trust, and how much, and when.What's wrong with a confirmation dialog? It clearly asks the user whether he wants to grant access to the extension which is running once the extension requests it. Isn't it a well informed decision? Is your concern about persistency? We already allow that with chrome.filesystem.retainEntry, but only for entries, not file systems. Also, it's not really pesistent, as user can always unplug the usb drive to revoke the granted permission.I guess I don't really know what you mean by a confirmation dialog. Can you explain precisely what you mean, because you're initial description sounds a lot like an install prompt which, as palmer@ said, is no good.As I said before, it would be a confirmation dialog shown when access to a file system is requested, so it's a runtime confirmation dialog. Kiosk apps could enumerate file systems, but to acquire access to it, a confirmation dialog would be shown to a user. This looks better to me, as we wouldn't ask people to choose between "USB 1" vs"USB 2" or in the best case "Kingston 8GB" vs "Sandisk 4GB" but simply ask "Can this app access the inserted device Sandisk 4GB? Yes, No" or sth like that.
ÂÂÂ
> The second solution adds quite a lot of complexity to the API
> implementation, so if a simple install warning is fine, then I'd prefer to
> just go with it instead.
Experience with Android shows that granting permanent ambient
authority at a time when the user doesn't understand the grant is a
non-starter, and a great way to damage a product's reputation.
So, what it is that makes kiosk mode incompatible with choosers?
Forgive my ignorance; I don't have much experience with kiosk mode.
(I.e. I tried it out for the first time for 1 minute just now. :) )
Some examples which do not work well with choosers:1. Kiosk apps showing movies from the kiosk's usb hard disk.I don't understand why this wouldn't work with a chooser.It's a Kiosk usb hard disk hidden in the kiosk cover. Users who come to a kiosk device, will be asked to choose an internal HDD containing movies, while they didn't insert any device. Which one should they choose if there are multiple ones, and only one is correct?
Â2. Picture printing booths (famous in Japan). Inserting a device is already a user action. Asking user to additionally choose the device from a list is an overkill from the user perspective.I disagree with your statement that it's overkill, especially if we grant the chooser the usual filesystem type of chooser where the user can grant permission to only a subset of the filesystem.In kiosks, there is only one running app. I bet users expect that inserting a USB device to the kiosk device will grant the access to it. Let me ask the other way. Why would user do not want to grant the permission to an inserted device to a kiosk device? I can't think of any scenario. So we'd show a chooser for no reason, as all users will grant the permission to the inserted device. Otherwise, they wouldn't insert it. Hence, I think it's an overkill.
Asking a user to choose a device from a list may be very confusing for an average user, as USB drive names are confusing. For MTP it's easier as we can show the Device model name. Still my mom doesn't know what's her phone's model number, so she wouldn't know what to choose in the chooser dialog. That's why instead of a choose I'd rather go with a confirmation dialog.We can abstract that away in other ways by calling it things like "USB 1", "USB 2", etc. Admittedly, that's a terrible set of example names, but I haven't thought too hard about it :-)Really, I don't think this would work out. My mom will be asked to choose from "Sandisk 4GB", "Kingston 8GB" and "Kingston 4GB" or even more strange items. I'm sure she will be very troubled to guess which one is her device. This is indeed secure from the security point of view, but it's a bummer from user experience point of view. We need to find some solution satisfying both.
ÂOne more important thing is that kiosks may not have any user input device. In such case both - choosers and confirmation dialogs will not work out.I agree that's problematic (although I've personally never seen a kiosk that has *no* user input, even a touch screen), but again, since kiosk mode is something apps can turn on at a whim, that's unfortunately going to have to be a the case.I'm not sure if I understand here, but apps can't run themselves in kiosk session. Kiosk configuration is necessary. Adding "kiosk_enabled" in the manifest, doesn't mean that the app will get the extra permission to file systems when running from the launcher. They will not.
ÂLet me be very explicit here about what our (the security team's) conditions are:
- Having an install warning/prompt is not an acceptable solution. They are ineffective in general, and it will cause great user surprise to all of a sudden have a file system API that they don't give permission to (but is granted automatically). We should all act as if users never read the install prompts because all evidence points to that being the case.
Fair enough.Â
- A run-time chooser solution is the only security team approved mechanism for files, folders, or filesystem access in Chrome.
How about the runtime confirmation dialog?Also, how about the usb hdd disk in the kiosk device (as mentioned above)? If a chooser is the only approved mechanism, then it's a bummer. How about certificates for kiosk internal USB HDDs? We could create a mechanism which would bypass the chooser/confirmation dialog for devices which have the certificate file on it. Kiosk manufacturers could generate and put such certificate on the internal USB HDD used by the kiosk app.ÂLast idea I have is to use a chooser or a runtime confirmation dialog but allow to bypass it using the enterprise policy. Then the device owner could disable the chooser.