Security concern: how to tell if an app is safe?
When installing app from the Marketplace, I am concerned about security issues. The problem is particularly pressing on Firefox OS, in comparison to other OS, because the lack of official apps (like Whatsapp) forces you to use unofficial ones as replacements. Is there any way to tell whether an app is (reasonably) safe?
For example, there are social/communication apps which ask you to access your Facebook/G+/mail/other account.
Other delicate apps are password generators. Are these intrinsically safe or you have to trust the producer? Which kind of permissions can these apps legitimately require?
Does Mozilla certificate or test the apps in the Marketplace in any way?
Modified by Enrico
Additional System Details
- User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
User Security is definitely a priority for Mozilla, and I understand your concerns. However, I don't know the specifics and I want to make sure that you get the most accurate information.
I reached out to the Marketplace team to find out more information about this. I will update this thread once I have more answers.
Here is the response from one of our App-Reviewer Leads on the Marketplace:
Hopefully someone else will jump in with a better answer, but in the meantime:
 https://developer.mozilla.org/en-US/Apps/Build/App_permissions - permissions listed as 'prompt' in the table.
Thanks Ralph, now the situation is clearer!
Checking every app submitted to the Marketplace is more than I expected. It must be a huge work!
Unfortunately, as the App-Review notice, this does not suffice to guarantee safety. Apps which do not require permissions or personal data are ok, but other apps are a more delicate matter.
Would it be possible, for Mozilla, to certify the publisher of the app? For example, guaranteeing that the name is truthful (eg: Facebook is really Facebook) and that this publisher has a known president/hedquarter which is liable in case of misconduct? Somethig like the 'verified name' in Google+.
At the moment, there are various publishers whose name suggests being Mozilla associate, like Mozilla, Mozilla apps, The Gaia Team, Mozilla Online Limited, Mozilla Online Ltd… It's difficult for a user to understand which are genuine Mozilla units/partners and which are scams.
Thank you for your suggestion, and your concern is definitely understandable!
Can you provide some examples of applications with those various Mozilla names listed as developers? I will forward this to the Mozilla Marketplace team and voice this concern.
I have seen two different applications in the Marketplace - Notes and SUMO, but it would be very helpful to know of the other applications with diverse names listed as a Mozilla developer.
I would also like to mention that it's possible to become an app-reviewer contributor for Marketplace! More information below:
this is a (possibly incomplete) list:
https://marketplace.firefox.com/app/blickammozilla?src=search https://marketplace.firefox.com/app/mozilla-help?src=search https://marketplace.firefox.com/app/pcsync?src=search https://marketplace.firefox.com/app/document-reader?src=search https://marketplace.firefox.com/app/notes?src=search https://marketplace.firefox.com/app/podcasts?src=search https://marketplace.firefox.com/app/around?src=search https://marketplace.firefox.com/app/firesea-irc?src=search https://marketplace.firefox.com/app/fxos-dashboard?src=search https://marketplace.firefox.com/app/wordpress?src=search https://marketplace.firefox.com/app/carrier-info?src=search https://marketplace.firefox.com/app/test-webapi-permissions-9?src=search https://marketplace.firefox.com/app/reloj-gradiente?src=search https://marketplace.firefox.com/app/rafflehat?src=search https://marketplace.firefox.com/app/calculator-2?src=search https://marketplace.firefox.com/app/lol-keyboard?src=search https://marketplace.firefox.com/app/calculator-20?src=search
I have no specific reason to distrust any of these apps, but I cannot tell whether they are genuine Mozilla apps either.
Thank you for your help, Enrico