An Anti-Virus Analyst's Day (or Hour) into Firefox OS
I had always wanted to look into Firefox OS. It’s done. I created my first application. What kind of application does a reverse engineer write as first app? A CrackMe of course. You can try it: the sources are available here. But, honestly, it is really a very (very) simple CrackMe, as my real goal was to get acquainted with Firefox OS, and understand the possible risks in terms of malware.
We, anti-virus analysts, won’t need disassemblers or decompilers for Firefox OS malware
Web-based applications also means a good opportunity for malware authors to use phishing: a minor modification in a web address, which redirects the victim to a malicious website instead of the real one. For example, imagine domain squatting of Facebook. If Facebook hosts its application as hxxp://facebook.firefox.os.application.com, then there are chances malware authors will host their malware at hxxp://facebook.firefox.os.applications.com (have you spotted the difference?) etc.
Beware infested icons
Oh? My neighbour has installed Accuweather…
As I said previously, everything is web-based. So, unless the communication is secured by HTTPS, all your actions end up in clear text in HTTP requests. For instance, anybody with access to a network sniffer will know which applications I installed. In the screenshot below, I installed Accuweather. The log shows I am retrieving the application’s manifest. I am surprised that Firefox OS is not requiring use of a secure protocol for installations. Android authenticates communications with Google Play. Why not at least do the same? Why not take advantage of HTTPS? I was expecting more privacy from an OS which emanates from Mozilla :(
– the Crypto Girl