X
Tap here to go to the mobile version of the site.

Support Forum

Security concern: how to tell if an app is safe?

Posted

When installing app from the Marketplace, I am concerned about security issues. The problem is particularly pressing on Firefox OS, in comparison to other OS, because the lack of official apps (like Whatsapp) forces you to use unofficial ones as replacements. Is there any way to tell whether an app is (reasonably) safe?

For example, there are social/communication apps which ask you to access your Facebook/G+/mail/other account.

Other delicate apps are password generators. Are these intrinsically safe or you have to trust the producer? Which kind of permissions can these apps legitimately require?

Does Mozilla certificate or test the apps in the Marketplace in any way?

When installing app from the Marketplace, I am concerned about security issues. The problem is particularly pressing on Firefox OS, in comparison to other OS, because the lack of official apps (like Whatsapp) forces you to use unofficial ones as replacements. Is there any way to tell whether an app is (reasonably) safe? For example, there are social/communication apps which ask you to access your Facebook/G+/mail/other account. Other delicate apps are password generators. Are these intrinsically safe or you have to trust the producer? Which kind of permissions can these apps legitimately require? Does Mozilla certificate or test the apps in the Marketplace in any way?

Modified by Enrico

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0

More Information

Ralph Daub
  • Locale Leader
158 solutions 1182 answers

Helpful Reply

Hi Enrico,

User Security is definitely a priority for Mozilla, and I understand your concerns. However, I don't know the specifics and I want to make sure that you get the most accurate information.

I reached out to the Marketplace team to find out more information about this. I will update this thread once I have more answers.

Thanks,

- Ralph

Hi Enrico, User Security is definitely a priority for Mozilla, and I understand your concerns. However, I don't know the specifics and I want to make sure that you get the most accurate information. I reached out to the Marketplace team to find out more information about this. I will update this thread once I have more answers. Thanks, - Ralph
Ralph Daub
  • Locale Leader
158 solutions 1182 answers

Helpful Reply

Hi Enrico,

Here is the response from one of our App-Reviewer Leads on the Marketplace:

Hi Ralph,

Hopefully someone else will jump in with a better answer, but in the meantime:

We test all apps that are submitted before they are publicly listed on Marketplace. Some apps that use more powerful permissions (privileged apps) we inspect the source code for also. So you can be reasonably sure the apps works and isn't a complete scam. But, we can't guarantee that the app does what it says in its privacy policy with data submitted; and some apps are entirely hosted directly on servers so can change at any time after we review them. As for permissions, there is a list[1] but in summary permissions that access user data (geolocation, sdcard, contacts, camera+mic) you are prompted for on first use - they can be declined at that point (but the app may not function correctly).

[1] https://developer.mozilla.org/en-US/Apps/Build/App_permissions - permissions listed as 'prompt' in the table.

Hi Enrico, Here is the response from one of our App-Reviewer Leads on the Marketplace: Hi Ralph, Hopefully someone else will jump in with a better answer, but in the meantime: We test all apps that are submitted before they are publicly listed on Marketplace. Some apps that use more powerful permissions (privileged apps) we inspect the source code for also. So you can be reasonably sure the apps works and isn't a complete scam. But, we can't guarantee that the app does what it says in its privacy policy with data submitted; and some apps are entirely hosted directly on servers so can change at any time after we review them. As for permissions, there is a list[1] but in summary permissions that access user data (geolocation, sdcard, contacts, camera+mic) you are prompted for on first use - they can be declined at that point (but the app may not function correctly). [1] https://developer.mozilla.org/en-US/Apps/Build/App_permissions - permissions listed as 'prompt' in the table.

Question owner

Thanks Ralph, now the situation is clearer!

Checking every app submitted to the Marketplace is more than I expected. It must be a huge work!

Unfortunately, as the App-Review notice, this does not suffice to guarantee safety. Apps which do not require permissions or personal data are ok, but other apps are a more delicate matter.

Would it be possible, for Mozilla, to certify the publisher of the app? For example, guaranteeing that the name is truthful (eg: Facebook is really Facebook) and that this publisher has a known president/hedquarter which is liable in case of misconduct? Somethig like the 'verified name' in Google+.

At the moment, there are various publishers whose name suggests being Mozilla associate, like Mozilla, Mozilla apps, The Gaia Team, Mozilla Online Limited, Mozilla Online Ltd… It's difficult for a user to understand which are genuine Mozilla units/partners and which are scams.

Thanks Ralph, now the situation is clearer! Checking every app submitted to the Marketplace is more than I expected. It must be a huge work! Unfortunately, as the App-Review notice, this does not suffice to guarantee safety. Apps which do not require permissions or personal data are ok, but other apps are a more delicate matter. Would it be possible, for Mozilla, to certify the publisher of the app? For example, guaranteeing that the name is truthful (eg: Facebook is really Facebook) and that this publisher has a known president/hedquarter which is liable in case of misconduct? Somethig like the 'verified name' in Google+. At the moment, there are various publishers whose name suggests being Mozilla associate, like Mozilla, Mozilla apps, The Gaia Team, Mozilla Online Limited, Mozilla Online Ltd… It's difficult for a user to understand which are genuine Mozilla units/partners and which are scams.
Ralph Daub
  • Locale Leader
158 solutions 1182 answers

Hi Enrico,

Thank you for your suggestion, and your concern is definitely understandable!

Can you provide some examples of applications with those various Mozilla names listed as developers? I will forward this to the Mozilla Marketplace team and voice this concern.

I have seen two different applications in the Marketplace - Notes and SUMO, but it would be very helpful to know of the other applications with diverse names listed as a Mozilla developer.

I would also like to mention that it's possible to become an app-reviewer contributor for Marketplace! More information below:

Thanks,

- Ralph

Hi Enrico, Thank you for your suggestion, and your concern is definitely understandable! Can you provide some examples of applications with those various Mozilla names listed as developers? I will forward this to the Mozilla Marketplace team and voice this concern. I have seen two different applications in the Marketplace - Notes and SUMO, but it would be very helpful to know of the other applications with diverse names listed as a Mozilla developer. I would also like to mention that it's possible to become an app-reviewer contributor for Marketplace! More information below: * [https://blog.mozilla.org/apps/2013/05/20/become-a-marketplace-app-reviewer/] Thanks, - Ralph

Question owner

Hi Ralph, this is a (possibly incomplete) list: https://marketplace.firefox.com/app/blickammozilla?src=search https://marketplace.firefox.com/app/mozilla-help?src=search https://marketplace.firefox.com/app/pcsync?src=search https://marketplace.firefox.com/app/document-reader?src=search https://marketplace.firefox.com/app/notes?src=search https://marketplace.firefox.com/app/podcasts?src=search https://marketplace.firefox.com/app/around?src=search https://marketplace.firefox.com/app/firesea-irc?src=search https://marketplace.firefox.com/app/fxos-dashboard?src=search https://marketplace.firefox.com/app/wordpress?src=search https://marketplace.firefox.com/app/carrier-info?src=search https://marketplace.firefox.com/app/test-webapi-permissions-9?src=search https://marketplace.firefox.com/app/reloj-gradiente?src=search https://marketplace.firefox.com/app/rafflehat?src=search https://marketplace.firefox.com/app/calculator-2?src=search https://marketplace.firefox.com/app/lol-keyboard?src=search https://marketplace.firefox.com/app/calculator-20?src=search I have no specific reason to distrust any of these apps, but I cannot tell whether they are genuine Mozilla apps either. Thank you for your help, Enrico