Hi,
On 09/09/2014 15:00, Kartikaya Gupta wrote:
> On 8/9/2014, 5:20, Paul Theriault wrote:
>> The challenge we had when talking through this situation previously
>> was that its difficult to distinguish between the device's owner &
>> someone who has just found your phone, and wants to take advantage of
>> developer mode to compromise your phone and/or data.
>
> Thanks for pointing this out, as it is an important distinction that is
> the heart of the problem.
>
>> Cons:
>> - A user must set passcode at FTU (and remember it!), else they wont
>> be able to use this mode without a factory reset
>
Stéphanie
_______________________________________________
dev-b2g mailing list
dev...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-b2g
Hi Paul,
Nice work on the proposal! I would love to see us lower the barrier to hacking on Gaia, I have some feedback below.
BTW, I work on Gaia stuff for Cloud Services; this includes Firefox Accounts, Find My Device, and prototyping work for backup/restore (though it seems other people are working on this independently, too). I'm very happy to discuss user/device security and user identity any time. I'm usually in #gaia during Pacific business hours.
On Sep 9, 2014, at 5:16 AM, Jan Jongboom <janjo...@gmail.com> wrote:
> On Monday, September 8, 2014 11:20:02 AM UTC+2, Paul Theriault wrote:
>>
>> The challenge we had when talking through this situation previously was that its difficult to distinguish between the device's owner & someone who has just found your phone, and wants to take advantage of developer mode to compromise your phone and/or data.
Find My Device allows users to remotely lock or wipe a lost device. It shipped in 2.0.
It seems to me that FMD takes care of this particular threat (malicious person compromises lost device).
So, maybe the user doesn't need to prove device ownership before enabling certified debugging?
>>
>>
>>
>> My team has been working on a proposal to remedy this situation:
>>
>> - Introduce an "os-developer" mode
>>
>> - Provide a way in FTU to have the user choose a lockscreen pass code (not necessarily enabled, just chosen)
>>
>> - Add UI into developer settings to enable os-developer mode, which requires the user to enter their passcode
>>
>> - When enabled, this mode allows installing and debugging certified apps. When disabled, certified app installation & debugging is forbidden.
>>
>> - The user MUST set a lockscreen code during FTU for os-developer to be available. If they do not, os-developer mode is disabled, and can only be re-enabled through the process of a factory-reset then redoing FTU.
>>
>> - Note that the user do not have to ENABLE the lockscreen during FTU, they just have to at least choose a passcode. But encouraging users to set a passcode comes with its own benefits.
The "developer PIN" concept and UX seem quite complex.
What if we just add an "enable certified app debugging" checkbox to the developer menu?
The two goals in the linked google doc are (1) manage security risk from lost devices, see my FMD comments above; and (2) give users full access if they want to hack on Gaia. I think my counterproposal here enables (2) with a lot less work, and reduced barrier to user experimentation (no passcode, no need to factory reset if you didn't set a flag during FTU).
Cheers,
Jared
>>
>>
>>
>> Pros:
>>
>> - Allows a way to enable developing of certified apps & Gaia hacking on production, unrooted phones while protecting the user's data
>>
>>
>>
>> Cons:
>>
>> - A user must set passcode at FTU (and remember it!), else they wont be able to use this mode without a factory reset
>>
>> - In the past there has been pushback on having passcode selection in FTU
>>
>>
>>
>> There are a lot of other details and considerations, but I'll keep it short(er) for now to start discussion. Does anything think this is a useful change or is there a better way to enable certified app debugging, whilst protecting user data? If you are interested, there is a more detailed proposal here: [1]
>>
>>
>>
>> Thoughts & suggestions welcome.
>>
>>
>>
>> - Paul
>>
>>
>>
>> [1] https://docs.google.com/a/mozilla.com/document/d/11Q1_fj2nKciVyG2PdGH_LuiH09BhZJKzFjBuIcaHKqs/edit#
>
I am likely ignorant about the reasoning behind some of the security decisions made for our device, however I have been fustrated by them, in previous lives doing android and ios development I have found fxos fairly similiarly fustrating as ios between different areas, and android comparatively a huge amount easier.Its possible I am entirely off base and there are reasons we cant make life this easy, but at least having them explained would maybe help ease the fustration.With android development, I get my device (user build), enable the developer menu (it used to be tap a button 7 times, now its shake it I think), turn on debugging, when my phone connects to my computer I accept a prompt that says that computer is allowed to access my device, at that point I have unfetered access and adb continues to work no matter if my screen is switched off or restarted or is in various other states in which we lose adb access.
If my phone has a pin then the only way to get adb access is to get access to my device unlocked, at that point all bets are off which I think is entirely reasonable.
Even in development builds but particularly with user builds adb access to the device is extremely flakey and I routinely have to go into fastboot mode to reflash my entire device, like if I push a syntax error in the system app in a user build then adb will never be reenabled.
Having to do a factory reset, or as was mentioned in the google doc sign up to some firefox online account seems straight up developer hostile to me.
On 9 September 2014 15:53, Stéphanie Ouillon <stepho...@mozilla.com> wrote:
Hi,
On 09/09/2014 15:00, Kartikaya Gupta wrote:
> On 8/9/2014, 5:20, Paul Theriault wrote:
>> The challenge we had when talking through this situation previously
>> was that its difficult to distinguish between the device's owner &
>> someone who has just found your phone, and wants to take advantage of
>> developer mode to compromise your phone and/or data.
>
> Thanks for pointing this out, as it is an important distinction that is
> the heart of the problem.
>
>> Cons:
>> - A user must set passcode at FTU (and remember it!), else they wont
>> be able to use this mode without a factory reset
>
> When they do a factory reset, is there a mechanism available for them to
> backup and restore their data? (I admit I'm unfamiliar with what the
> average user would use for this - a quick search online seems to
> indicate you have to use adb to do this). If there is a mechanism, what
> prevents the "malicious person who just found your phone" from doing
> this data backup and stealing your data? Is this somehow a less-bad
> scenario than the malicious person being able to enable os-developer mode?
Definitely not, since what we want to achieve ultimately is protecting
the user's data. But I don't know the details of the possible solutions
for the backup and restore mechanism, so I'll let better informed people
answer this.
>
> I just worry that forcing a factory reset in this scenario is going to
> place a big barrier to allowing our users to organically grow from
> "users" to "webmaker". That is, they will find it much harder to learn
> and hack their phones in ways that we should be should be actively
> encouraging.
>
This 'os-developer' mode is meant for people who want to write and debug
certified apps. This factory reset scenario won't impact web app
developers (privileged, web). Are would-be Gaia developers the target
you're concerned about?
> Seeing as the heart of the problem is distinguishing the device owner
> and Mr. Malicious, perhaps we could ask for some piece of information
> the device owner is much more likely to have. The SIM PIN might be such
> a thing, or maybe some other unique identifier that comes with the phone
> but isn't physically present or accessible on the handset itself.
Since the SIM can be removed and replaced by the attacker's SIM, it
doesn't look like a right candidate. That's why we consider the device
PIN code instead.
The issue we're hitting is always the same: how to make sure it's the
actual owner of the device who is initializing _first_ the
authentication service (setting a PIN code, synchronizing to a backup
service, etc) while protecting the data. Hence the reset factory solution...
Stéphanie
_______________________________________________
dev-b2g mailing list
dev...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-b2g
On 10 Sep 2014, at 6:49 am, Jared Hirsch <6a...@mozilla.com> wrote:
> On Sep 9, 2014, at 1:31 PM, Jan Jongboom <janjo...@gmail.com> wrote:
>
>> Well you need to enforce PIN because otherwise everyone who finds your phone can grab all the data, or you should wipe it out whenever someone enables that menu but you don't want that either I'd say.
>
> Actually, I think we're fine here - I don't see how this differs from the threat mentioned already.
>
> If an attacker finds your phone, then presumably you have lost it. In that case, you can use FMD to lock or wipe it remotely.
If you actually set up FMD. If it has battery. If it has network connectivity etc.
>
> I'm specifically suggesting that we don't need the "developer PIN", but maybe you're referring to the lockscreen PIN? I definitely do think the users should have their lockscreen PIN enabled ^_^
Yeh I agree that is confusing in the doc - we talk about a developer pin code which is kept in sync with the lockscreen passcode. Overly complex i think. It should just BE the lockscreen passcode.
>
>>
>> On Tue, Sep 9, 2014 at 10:05 PM, Jared Hirsch <6a...@mozilla.com> wrote:
>> Hi Paul,
>>
>> Nice work on the proposal! I would love to see us lower the barrier to hacking on Gaia, I have some feedback below.
>>
>> BTW, I work on Gaia stuff for Cloud Services; this includes Firefox Accounts, Find My Device, and prototyping work for backup/restore (though it seems other people are working on this independently, too). I'm very happy to discuss user/device security and user identity any time. I'm usually in #gaia during Pacific business hours.
>>
>> On Sep 9, 2014, at 5:16 AM, Jan Jongboom <janjo...@gmail.com> wrote:
>>
>>> On Monday, September 8, 2014 11:20:02 AM UTC+2, Paul Theriault wrote:
>>>>
>>>> The challenge we had when talking through this situation previously was that its difficult to distinguish between the device's owner & someone who has just found your phone, and wants to take advantage of developer mode to compromise your phone and/or data.
>>
>> Find My Device allows users to remotely lock or wipe a lost device. It shipped in 2.0.
>>
>> It seems to me that FMD takes care of this particular threat (malicious person compromises lost device).
>>
>> So, maybe the user doesn't need to prove device ownership before enabling certified debugging?
>>
>>>>
>>>>
>>>>
>>>> My team has been working on a proposal to remedy this situation:
>>>>
>>>> - Introduce an "os-developer" mode
>>>>
>>>> - Provide a way in FTU to have the user choose a lockscreen pass code (not necessarily enabled, just chosen)
>>>>
>>>> - Add UI into developer settings to enable os-developer mode, which requires the user to enter their passcode
>>>>
>>>> - When enabled, this mode allows installing and debugging certified apps. When disabled, certified app installation & debugging is forbidden.
>>>>
>>>> - The user MUST set a lockscreen code during FTU for os-developer to be available. If they do not, os-developer mode is disabled, and can only be re-enabled through the process of a factory-reset then redoing FTU.
>>>>
>>>> - Note that the user do not have to ENABLE the lockscreen during FTU, they just have to at least choose a passcode. But encouraging users to set a passcode comes with its own benefits.
>>
>> The "developer PIN" concept and UX seem quite complex.
>>
>> What if we just add an "enable certified app debugging" checkbox to the developer menu?
>>
>> The two goals in the linked google doc are (1) manage security risk from lost devices, see my FMD comments above; and (2) give users full access if they want to hack on Gaia. I think my counterproposal here enables (2) with a lot less work, and reduced barrier to user experimentation (no passcode, no need to factory reset if you didn't set a flag during FTU).
>>
>> Cheers,
>>
>> Jared
>>
>>
>>>>
>>>>
>>>>
>>>> Pros:
>>>>
>>>> - Allows a way to enable developing of certified apps & Gaia hacking on production, unrooted phones while protecting the user's data
>>>>
>>>>
>>>>
>>>> Cons:
>>>>
>>>> - A user must set passcode at FTU (and remember it!), else they wont be able to use this mode without a factory reset
>>>>
>>>> - In the past there has been pushback on having passcode selection in FTU
>>>>
>>>>
>>>>
>>>> There are a lot of other details and considerations, but I'll keep it short(er) for now to start discussion. Does anything think this is a useful change or is there a better way to enable certified app debugging, whilst protecting user data? If you are interested, there is a more detailed proposal here: [1]
>>>>
>>>>
>>>>
>>>> Thoughts & suggestions welcome.
>>>>
>>>>
>>>>
>>>> - Paul
>>>>
>>>>
>>>>
>>>> [1] https://docs.google.com/a/mozilla.com/document/d/11Q1_fj2nKciVyG2PdGH_LuiH09BhZJKzFjBuIcaHKqs/edit#
>>>
Other options for user authentication I had been thinking about were:
- pairing the phone with the computer it is going to be plugged into - maybe via adb (maybe by use of 842747) or wifi (with upcoming wifi debugging)
- Ship phones with “developer NFC sticker” - basically an NFC tag which is proof of ownership (only works for NFC devices obviously)
- Pair the phone with a computer via bluetooth during FTU. Access to developer options later requires you to pair to the computer again