Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Security concern: how to tell if an app is safe?

  • 5 replies
  • 3 have this problem
  • 2 views
  • Last reply by Enrico

Enrico
Enrico
more options

When installing app from the Marketplace, I am concerned about security issues. The problem is particularly pressing on Firefox OS, in comparison to other OS, because the lack of official apps (like Whatsapp) forces you to use unofficial ones as replacements. Is there any way to tell whether an app is (reasonably) safe?

For example, there are social/communication apps which ask you to access your Facebook/G+/mail/other account.

Other delicate apps are password generators. Are these intrinsically safe or you have to trust the producer? Which kind of permissions can these apps legitimately require?

Does Mozilla certificate or test the apps in the Marketplace in any way?

When installing app from the Marketplace, I am concerned about security issues. The problem is particularly pressing on Firefox OS, in comparison to other OS, because the lack of official apps (like Whatsapp) forces you to use unofficial ones as replacements. Is there any way to tell whether an app is (reasonably) safe? For example, there are social/communication apps which ask you to access your Facebook/G+/mail/other account. Other delicate apps are password generators. Are these intrinsically safe or you have to trust the producer? Which kind of permissions can these apps legitimately require? Does Mozilla certificate or test the apps in the Marketplace in any way?

Modified by Enrico

All Replies (5)

Ralph Daub
Ralph Daub
  • Locale Leader
more options

Hi Enrico,

User Security is definitely a priority for Mozilla, and I understand your concerns. However, I don't know the specifics and I want to make sure that you get the most accurate information.

I reached out to the Marketplace team to find out more information about this. I will update this thread once I have more answers.

Thanks,

- Ralph

Ralph Daub
Ralph Daub
  • Locale Leader
more options

Hi Enrico,

Here is the response from one of our App-Reviewer Leads on the Marketplace:

Hi Ralph,

Hopefully someone else will jump in with a better answer, but in the meantime:

We test all apps that are submitted before they are publicly listed on Marketplace. Some apps that use more powerful permissions (privileged apps) we inspect the source code for also. So you can be reasonably sure the apps works and isn't a complete scam. But, we can't guarantee that the app does what it says in its privacy policy with data submitted; and some apps are entirely hosted directly on servers so can change at any time after we review them. As for permissions, there is a list[1] but in summary permissions that access user data (geolocation, sdcard, contacts, camera+mic) you are prompted for on first use - they can be declined at that point (but the app may not function correctly).

[1] https://developer.mozilla.org/en-US/Apps/Build/App_permissions - permissions listed as 'prompt' in the table.

Enrico
Enrico Question owner
more options

Thanks Ralph, now the situation is clearer!

Checking every app submitted to the Marketplace is more than I expected. It must be a huge work!

Unfortunately, as the App-Review notice, this does not suffice to guarantee safety. Apps which do not require permissions or personal data are ok, but other apps are a more delicate matter.

Would it be possible, for Mozilla, to certify the publisher of the app? For example, guaranteeing that the name is truthful (eg: Facebook is really Facebook) and that this publisher has a known president/hedquarter which is liable in case of misconduct? Somethig like the 'verified name' in Google+.

At the moment, there are various publishers whose name suggests being Mozilla associate, like Mozilla, Mozilla apps, The Gaia Team, Mozilla Online Limited, Mozilla Online Ltd… It's difficult for a user to understand which are genuine Mozilla units/partners and which are scams.

Ralph Daub
Ralph Daub
  • Locale Leader
more options

Hi Enrico,

Thank you for your suggestion, and your concern is definitely understandable!

Can you provide some examples of applications with those various Mozilla names listed as developers? I will forward this to the Mozilla Marketplace team and voice this concern.

I have seen two different applications in the Marketplace - Notes and SUMO, but it would be very helpful to know of the other applications with diverse names listed as a Mozilla developer.

I would also like to mention that it's possible to become an app-reviewer contributor for Marketplace! More information below:

Thanks,

- Ralph

Enrico
Enrico Question owner
more options

Hi Ralph,

this is a (possibly incomplete) list:

https://marketplace.firefox.com/app/blickammozilla?src=search https://marketplace.firefox.com/app/mozilla-help?src=search https://marketplace.firefox.com/app/pcsync?src=search https://marketplace.firefox.com/app/document-reader?src=search https://marketplace.firefox.com/app/notes?src=search https://marketplace.firefox.com/app/podcasts?src=search https://marketplace.firefox.com/app/around?src=search https://marketplace.firefox.com/app/firesea-irc?src=search https://marketplace.firefox.com/app/fxos-dashboard?src=search https://marketplace.firefox.com/app/wordpress?src=search https://marketplace.firefox.com/app/carrier-info?src=search https://marketplace.firefox.com/app/test-webapi-permissions-9?src=search https://marketplace.firefox.com/app/reloj-gradiente?src=search https://marketplace.firefox.com/app/rafflehat?src=search https://marketplace.firefox.com/app/calculator-2?src=search https://marketplace.firefox.com/app/lol-keyboard?src=search https://marketplace.firefox.com/app/calculator-20?src=search

I have no specific reason to distrust any of these apps, but I cannot tell whether they are genuine Mozilla apps either.

Thank you for your help, Enrico