On Mon, Apr 13, 2015 at 2:50 PM, Marc Deslauriers < marc.deslauri...@canonical.com> wrote:
> On 2015-04-10 06:15 PM, Alan Bell wrote: > > Hi all, > > > > there is a somewhat sparsely documented feature of webapps that allow > you to > > specify --webappModelSearchPath=. as a parameter of webapp-container in > the > > .desktop file and have a file called webapp-properties.json in the > project. This > > can specify a script to be loaded into the webapp, which you can also > put in the > > package or possibly on a remote server, an example of this can be found > here > > http://bazaar.launchpad.net/~sil/+junk/seshat/files > > > > Now this got me thinking about all the awesome stuff I could do with > this, I > > could write a webapp that wraps my online banking and paypal and then it > scrapes > > the statements and offers to reconcile stuff against my Odoo server or > > something. Awesome. Someone else could do this too, and write a webapp > that > > wraps a bank and does evil stuff, this would then instantly pass all the > > automated tests and be published in the store ready for people to start > using. > > This is a bit of a worry. I did install the HSBC app when I got the > phone, but I > > didn't run it until today when I figured out how to read the source (it > is in > > /opt/click.ubuntu.com/hsbc.krysztau) however I fear that I am a bit of > an > > outlier and most people will run a banking application without first > reading the > > packaging source and checking for evil stuff. > > > > Perhaps it would be an idea to have a manual review process for webapps > that > > insert stuff where the developer can't prove that they control the > website in > > question. > > There's absolutely nothing preventing a developer from doing whatever they > want > in their app, including malicious stuff. Even if we were to limit what the > webapp binary allows, a developer can simply bundle their own, or simply > write > an app that pretends to be the actual website. > > When you download something from the store, you are trusting the developer > of > that app, it's as simple as that. > Exactly, ... in this context, the listed "extra measures" are not stoppers, but do help in mitigate the issue,
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
