We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Intelligent Machines

Mozilla’s Mobile Firefox OS Raises Security Questions

Firefox’s new Web-centric OS will let users run apps from the Web, raising concerns over how to stop malicious software.

Mobile security is a rising problem around the world.

Mozilla’s new Firefox OS for low-end smartphones—aimed initially at Eastern European and South American markets—will face challenges protecting users from the malicious mobile apps that are a growing problem around the world.

Alcatel-Lucent One Touch smartphone
Web-based: Alcatel’s One Touch Fire, one of two announced models that will run the Firefox OS, displays a screen of apps.

Malicious apps have been known to creep into Apple’s and Google’s app stores even in the face of security screening. More problematic are unofficial Android marketplaces, where knockoffs of popular apps are among the malicious versions that crop up (see “Attacks on Android Devices Intensify”). In response, an industry is growing around mobile security companies like Lookout (see “How to Detect Apps Leaking Your Data”).

In the case of Mozilla, the issue is that it will not just make apps available through its traditional app store, called the Firefox Marketplace. In addition, the company will encourage developers to make apps that can be downloaded from the Web or run from a Website. (While it is possible to download Android apps that are hosted independently, the practice is not very common.) The OS is based on a language called HTML5, which essentially makes Web applications work as well as desktop software. It allows websites viewed on mobile devices to act like apps that have been downloaded. Researchers have long been saying that this raises security concerns (see “New Web Standards Bring New Security Worries”).

It’s not clear how Mozilla will screen apps to eliminate those that could pose threats or privacy problems, says Janne Lindqvist, a mobile security researcher at the Winlab at Rutgers University. “How do you control the user privacy and security if you make it so flexible that with just some keyword search, you have lots of apps available? I can’t understand at this point at all what the security model will be,” he says. “Who controls what appears on your phone with the searches, and who controls what kind of information these suddenly appearing apps have?”

A Mozilla spokesperson says users “can expect all the security, privacy, customization, and user control Firefox has always delivered,” adding: “Designed to protect the user from malicious applications and content, Firefox OS also protects applications from each other.”

In one step aimed at securing downloaded apps, the company is requiring developers to package downloadable apps in a zip file that has been cryptographically signed by the store from which it originated, assuring that it has been reviewed. A spokesman adds that apps coming back from search are given only limited access to device programming interfaces and applications, unless the user grants permission for further access.  While such steps show that Mozilla is clearly “thinking about the potential issues,” Lindqvist says, “it’s just not clear yet how the search and app-discovery security and privacy protections work.”

The OS overall is designed to work on lower-power, less-expensive phones for sale in developing countries. At the Mobile World Congress event in Barcelona this week, the company announced the first such handsets it would run on, including ZTE Open and Alcatel’s One Touch Fire. Mozilla said 17 carriers around the world—in Brazil, Colombia, Hungary, Mexico, Montenegro, Poland, Serbia, Spain, and Venezuela—will offer service, in some cases customizing the OS for their markets. Deutsche Telekom says the Alcatel One Touch Fire will be available in Poland this summer, and then in other Eastern European countries; Telefonica said the phone would launch in all its markets within the year. 

At Mobile World Congress, Jay Sullivan, Mozilla’s senior vice president for products, showed how searches bring up apps. When Sullivan searched for the movie Skyfall, the interface of the phone changed to show apps for movie-related services such as review sites and the ticket-buying site Fandango. “I didn’t go to an app store and say ‘What are the good movie apps?’” he said. “It delivered to me based on what I care about right now, and it’s a very powerful concept.”

How Firefox OS decides which of these Web apps to show will be important. A standard attack method with Android is to take a new app from a traditional marketplace, insert some malicious software, and replace it. In some cases, the new software can send out premium SMS messages that cost you money. Or malicious apps can propagate phishing attacks, distributing Web addresses to fraud sites. Sometimes apps leak personal data.

Web-based apps could be subject to the same types of attacks. But Tim Wyatt, a security researcher at Lookout, says it is too early to say whether the new approach will be worse overall for users. “It is challenging to assess all the controls that Mozilla has put in place” he says. “HTML5 apps are fairly [new] for all concerned, and any platform that reaches critical adoption mass may become a target.”

Learn from the humans leading the way in intelligent machines at EmTech Next. Register Today!
June 11-12, 2019
Cambridge, MA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Print Subscription.
  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivery each weekday to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.