I am glad to see security is receiving this much attention from Mozilla. As a developer it is critical that I keep my users safe and their data protected.

I wanted to ask one question. I recently deployed a game to firefox marketplace. I developed a simple game as a way to get myself through the whole process of app development, hosting it on my site, enabling users to install it directly from my site and submitting the app to marketplace. I deliberately developed it as a web app and not Firefox OS app because I see no reason in stoping people from playing it in any browser with decent HTML5 support. On deploying the app to marketplace when beside Firefox OS as a target I choose desktop, tablet and Firefox on android I could not deploy my app as packeged but only as hosted.

Firstly I see no reason for this. Why whould somebody be denied from installing packaged app on desktop or android? But second and more important, once an app is deployed to marketplace in this fashion, reviewed and approved a developer with bad intent can then replace the app that was safe with an unsafe app.

Probably this developer won’t be able to do any harm because hosted app can not get access to privileged api’s but it is still problematic in my opinion.

Still, I am very happy with all do work you put so far in Firefox OS. I had a chance to play with Firefox OS phone today for the first time and I was very impressed by what my coleague got for only 70 Euros. Just keep with good work.

1. Bill Walker

   Ivan,

   Thanks for your comments! As for our packaged app support, we’re actively engaged in bringing packaged apps to Android and Desktop this quarter. The moment that support lands we’ll be pestering the Marketplace team to enable submission of packaged apps on those platforms.

   We have been thinking hard about update scenarios like the one you mentioned. The transition between packaged and hosted versions of the same app is troublesome on lots of levels, as you can see. I believe we don’t support it yet, until we get a better handle on what can go wrong.

   thanks again,
   -Bill

   November 14th, 2013 at 14:28

2. Robert Nyman [Editor]

   On the topic of hosted apps and being able to update whenever they want to: we see that as a great strength and possibility for the developer. Then, naturally, it won’t have the same security clearance as a privileged app since it’s just the same as a web site, where we can’t control or guarantee the code. Therefore, see a hosted app as a web site, but being run in an app context.

   November 14th, 2013 at 14:54

Bill, Robert

Thanks for your replies. I do see the point in hosted apps being great convenience for me as a developer. I probably expressed myself poorly because English is not my native language.

Looking and the Firefox marketplace I was not able to distinguish packaged apps from hosted apps. My impression until two days ago was that every app in marketplace is packaged and checked. Maybe end users will make the same mistake as I did an think that everything they install from marketplace is checked and safe.

Again maybe my worries are completely unwarranted. I just was so impressed by my first try at Firefox OS smartphone that I honestly what Firefox OS to be a huge success.

Keep up with good work.

1. Robert Nyman [Editor]

   Ivan,

   From my point of view, the user shouldn’t need to know if it it’s a packaged or hosted app. Everything is checked and safe according to its security access on the device. If it’s hosted, it will have less security clearance than a packaged app, but neither of those should mean more or less risk than the other option.

   November 18th, 2013 at 03:09

I’m glad security is taken seriously when building FFOS. The model described seems really better than Android where indeed we just say yes to everything because we want the use the app.

I was wondering if there would be any notification (in the top notification bar of FFOS) that the app is currently using the Camera. Even if the user has allowed the app to access it, it could be nice to remind him that the camera is currently used.

It is currently the case on Firefox: for eg you allow a website to access your camera when firefox ask “Do you allow … to access your camera” but then you still have a camera icon on the left of the adress bar that reminds you you’re filmed. If think it’s a nice and non obstrusive reminder and I’d love to see it integrated in FFOS. I think it’s already the case for GPS but I’m not sure about the camera.

1. Robert Nyman [Editor]

   Thanks for the input. It’s definitely something to consider. At this, from an app, only way to trigger the camera is to use Web Activities and actually go into the camera app, with user consent. Then as soon as you’re done in there, you will leave the app and turn off the camera – i.e. it won’t be running in the background, and it will be clear that it’s active. In the future, though, it will definitely matter.

   November 19th, 2013 at 05:14
   1. azerty

      Ok, thanks for your reply.

      November 20th, 2013 at 11:31