(bcc dev-gaia) I have been discussing the security implications of remote debugging with a number of people and I wanted to through the question out to a wider audience. Remote debugging allows access to read any data in app and as such has implications for the scenario of when a user loses their phone.
Do we want to allow the remote debugger to connect to any app? My proposal is that, for production devices, you should only be allowed to debug the apps you are developing. That is, the remote debugger will only connect to web apps and privileged apps pushed to the device via the simulator. It will _not_ connect to certified apps, or signed privileged apps installed from the store. The only exception to this i can think of is we probably support remote debugging of tabs within the browser app (and possibly bookmarked web pages opened by the system app). For developer builds, the remote debugger would connect to any app. Thoughts on this proposal? - Paul
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
