A First Look at Firefox OS Security
This work addresses security concerns for users and developers of HTML5-based mobile platforms, though it is incremental as it builds on existing mechanisms like Content Security Policy.
The paper tackles security vulnerabilities in Firefox OS by applying lightweight static analysis to detect missed flaws in privileged applications, finding examples of automatically detectable vulnerabilities and highlighting issues like certificate caching that degrade system security.
With Firefox OS, Mozilla is making a serious push for an HTML5-based mobile platform. In order to assuage security concerns over providing hardware access to web applications, Mozilla has introduced a number of mechanisms that make the security landscape of Firefox OS distinct from both the desktop web and other mobile operating systems. From an application security perspective, the two most significant of these mechanisms are the the introduction of a default Content Security Policy and code review in the market. This paper describes how lightweight static analysis can augment these mechanisms to find vulnerabilities which have otherwise been missed. We provide examples of privileged applications in the market that contain vulnerabilities that can be automatically detected. In addition to these findings, we show some of the challenges that occur when desktop software is repurposed for a mobile operating system. In particular, we argue that the caching of certificate overrides across applications--a known problem in Firefox OS--generates a counter-intuitive user experience that detracts from the security of the system.