On Sat, Apr 11, 2015 at 12:15 AM, Alan Bell <alanb...@ubuntu.com> wrote:
> Hi all, > > there is a somewhat sparsely documented feature of webapps that allow you > to specify --webappModelSearchPath=. as a parameter of webapp-container in > the .desktop file and have a file called webapp-properties.json in the > project. This can specify a script to be loaded into the webapp, which you > can also put in the package or possibly on a remote server, an example of > this can be found here http://bazaar.launchpad.net/~sil/+junk/seshat/files > > Now this got me thinking about all the awesome stuff I could do with this, > I could write a webapp that wraps my online banking and paypal and then it > scrapes the statements and offers to reconcile stuff against my Odoo server > or something. Awesome. Someone else could do this too, and write a webapp > that wraps a bank and does evil stuff, this would then instantly pass all > the automated tests and be published in the store ready for people to start > using. This is a bit of a worry. I did install the HSBC app when I got the > phone, but I didn't run it until today when I figured out how to read the > source (it is in /opt/click.ubuntu.com/hsbc.krysztau) however I fear that > I am a bit of an outlier and most people will run a banking application > without first reading the packaging source and checking for evil stuff. > > Perhaps it would be an idea to have a manual review process for webapps > that insert stuff where the developer can't prove that they control the > website in question. Yep, definitely a good idea. Thanks Alan! We have a set of checks for this script injection kit, from its desktop beginnings. However, that should mosty flag common attack vectors. Checking the identity of the author / published of an app still is a key factor in deciding whether to trust it with your online credentials. David
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
