MIT Technology Review

Thursday, February 28, 2013

Mozilla’s Mobile Firefox OS Raises Security Questions

Firefox’s new Web-centric OS will let users run apps from the Web, raising concerns over how to stop malicious software.


Web-based: Alcatel’s One Touch Fire, one of two announced models that will run the Firefox OS, displays a screen of apps.

Mozilla’s new Firefox OS for low-end smartphones—aimed initially at Eastern European and South American markets—will face challenges protecting users from the malicious mobile apps that are a growing problem around the world.

Malicious apps have been known to creep into Apple’s and Google’s app stores even in the face of security screening. More problematic are unofficial Android marketplaces, where knockoffs of popular apps are among the malicious versions that crop up (see “Attacks on Android Devices Intensify”). In response, an industry is growing around mobile security companies like Lookout (see “How to Detect Apps Leaking Your Data”).

In the case of Mozilla, the issue is that it will not just make apps available through its traditional app store, called the Firefox Marketplace. In addition, the company will encourage developers to make apps that can be downloaded from the Web or run from a Website. (While it is possible to download Android apps that are hosted independently, the practice is not very common.) The OS is based on a language called HTML5, which essentially makes Web applications work as well as desktop software. It allows websites viewed on mobile devices to act like apps that have been downloaded. Researchers have long been saying that this raises security concerns (see “New Web Standards Bring New Security Worries”).

It’s not clear how Mozilla will screen apps to eliminate those that could pose threats or privacy problems, says Janne Lindqvist, a mobile security researcher at the Winlab at Rutgers University. “How do you control the user privacy and security if you make it so flexible that with just some keyword search, you have lots of apps available? I can’t understand at this point at all what the security model will be,” he says. “Who controls what appears on your phone with the searches, and who controls what kind of information these suddenly appearing apps have?”

A Mozilla spokesperson says users “can expect all the security, privacy, customization, and user control Firefox has always delivered,” adding: “Designed to protect the user from malicious applications and content, Firefox OS also protects applications from each other.”

In one step aimed at securing downloaded apps, the company is requiring developers to package downloadable apps in a zip file that has been cryptographically signed by the store from which it originated, assuring that it has been reviewed. A spokesman adds that apps coming back from search are given only limited access to device programming interfaces and applications, unless the user grants permission for further access.  While such steps show that Mozilla is clearly “thinking about the potential issues,” Lindqvist says, “it’s just not clear yet how the search and app-discovery security and privacy protections work.”

The OS overall is designed to work on lower-power, less-expensive phones for sale in developing countries. At the Mobile World Congress event in Barcelona this week, the company announced the first such handsets it would run on, including ZTE Open and Alcatel’s One Touch Fire. Mozilla said 17 carriers around the world—in Brazil, Colombia, Hungary, Mexico, Montenegro, Poland, Serbia, Spain, and Venezuela—will offer service, in some cases customizing the OS for their markets. Deutsche Telekom says the Alcatel One Touch Fire will be available in Poland this summer, and then in other Eastern European countries; Telefonica said the phone would launch in all its markets within the year. 

At Mobile World Congress, Jay Sullivan, Mozilla’s senior vice president for products, showed how searches bring up apps. When Sullivan searched for the movie Skyfall, the interface of the phone changed to show apps for movie-related services such as review sites and the ticket-buying site Fandango. “I didn’t go to an app store and say ‘What are the good movie apps?’” he said. “It delivered to me based on what I care about right now, and it’s a very powerful concept.”

How Firefox OS decides which of these Web apps to show will be important. A standard attack method with Android is to take a new app from a traditional marketplace, insert some malicious software, and replace it. In some cases, the new software can send out premium SMS messages that cost you money. Or malicious apps can propagate phishing attacks, distributing Web addresses to fraud sites. Sometimes apps leak personal data.

Web-based apps could be subject to the same types of attacks. But Tim Wyatt, a security researcher at Lookout, says it is too early to say whether the new approach will be worse overall for users. “It is challenging to assess all the controls that Mozilla has put in place” he says. “HTML5 apps are fairly [new] for all concerned, and any platform that reaches critical adoption mass may become a target.”