Skip to Content

Mozilla’s Mobile Firefox OS Raises Security Questions

Firefox’s new Web-centric OS will let users run apps from the Web, raising concerns over how to stop malicious software.
February 28, 2013

Mozilla’s new Firefox OS for low-end smartphones—aimed initially at Eastern European and South American markets—will face challenges protecting users from the malicious mobile apps that are a growing problem around the world.

Alcatel-Lucent One Touch smartphone
Web-based: Alcatel’s One Touch Fire, one of two announced models that will run the Firefox OS, displays a screen of apps.

Malicious apps have been known to creep into Apple’s and Google’s app stores even in the face of security screening. More problematic are unofficial Android marketplaces, where knockoffs of popular apps are among the malicious versions that crop up (see “Attacks on Android Devices Intensify”). In response, an industry is growing around mobile security companies like Lookout (see “How to Detect Apps Leaking Your Data”).

In the case of Mozilla, the issue is that it will not just make apps available through its traditional app store, called the Firefox Marketplace. In addition, the company will encourage developers to make apps that can be downloaded from the Web or run from a Website. (While it is possible to download Android apps that are hosted independently, the practice is not very common.) The OS is based on a language called HTML5, which essentially makes Web applications work as well as desktop software. It allows websites viewed on mobile devices to act like apps that have been downloaded. Researchers have long been saying that this raises security concerns (see “New Web Standards Bring New Security Worries”).

It’s not clear how Mozilla will screen apps to eliminate those that could pose threats or privacy problems, says Janne Lindqvist, a mobile security researcher at the Winlab at Rutgers University. “How do you control the user privacy and security if you make it so flexible that with just some keyword search, you have lots of apps available? I can’t understand at this point at all what the security model will be,” he says. “Who controls what appears on your phone with the searches, and who controls what kind of information these suddenly appearing apps have?”

A Mozilla spokesperson says users “can expect all the security, privacy, customization, and user control Firefox has always delivered,” adding: “Designed to protect the user from malicious applications and content, Firefox OS also protects applications from each other.”

In one step aimed at securing downloaded apps, the company is requiring developers to package downloadable apps in a zip file that has been cryptographically signed by the store from which it originated, assuring that it has been reviewed. A spokesman adds that apps coming back from search are given only limited access to device programming interfaces and applications, unless the user grants permission for further access.  While such steps show that Mozilla is clearly “thinking about the potential issues,” Lindqvist says, “it’s just not clear yet how the search and app-discovery security and privacy protections work.”

The OS overall is designed to work on lower-power, less-expensive phones for sale in developing countries. At the Mobile World Congress event in Barcelona this week, the company announced the first such handsets it would run on, including ZTE Open and Alcatel’s One Touch Fire. Mozilla said 17 carriers around the world—in Brazil, Colombia, Hungary, Mexico, Montenegro, Poland, Serbia, Spain, and Venezuela—will offer service, in some cases customizing the OS for their markets. Deutsche Telekom says the Alcatel One Touch Fire will be available in Poland this summer, and then in other Eastern European countries; Telefonica said the phone would launch in all its markets within the year. 

At Mobile World Congress, Jay Sullivan, Mozilla’s senior vice president for products, showed how searches bring up apps. When Sullivan searched for the movie Skyfall, the interface of the phone changed to show apps for movie-related services such as review sites and the ticket-buying site Fandango. “I didn’t go to an app store and say ‘What are the good movie apps?’” he said. “It delivered to me based on what I care about right now, and it’s a very powerful concept.”

How Firefox OS decides which of these Web apps to show will be important. A standard attack method with Android is to take a new app from a traditional marketplace, insert some malicious software, and replace it. In some cases, the new software can send out premium SMS messages that cost you money. Or malicious apps can propagate phishing attacks, distributing Web addresses to fraud sites. Sometimes apps leak personal data.

Web-based apps could be subject to the same types of attacks. But Tim Wyatt, a security researcher at Lookout, says it is too early to say whether the new approach will be worse overall for users. “It is challenging to assess all the controls that Mozilla has put in place” he says. “HTML5 apps are fairly [new] for all concerned, and any platform that reaches critical adoption mass may become a target.”

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.