App Isolation, Usacurity
Usability + Security = Usacurity
I’ve been thinking a lot about app isolation/sandboxing lately. I really haven’t seen any operating system get it right. Maybe OLPC’s Sugar comes closest. And since this is starting to get serious business for several projects near and dear to me (GNOME, Ubuntu, Firefox OS) I want to share my thoughts on this.
What concerns me is user interfaces like Google’s Play for Android. When you install an app you get presented with a list of permissions this app requires. But as anyone in computing knows – if you put a bullet point list with an OK button at the bottom between the user and the user’s desire – then that OK button is going to be clicked very fast.
Hawt New Wallpapers App
This app can:
- Access and control your webcam
- Read your address book
- Access your online accounts
- Modify your system settings
- Record audio
- Draw in the windows of other applications
- Prevent the device from entering standby
- Change your wallpaper
So there is a small “aware” subculture that actually read these permissions. But an extremely small subset of that culture have the faintest idea what the permissions even mean!
At the heart of the problem is the fact that it’s actually an expert task to assess which app permissions are “OK”. Are the permissions for Hawt New Wallpapers App “OK”? (hint: no).
The operating system should take you by the hand here, to help you make this decision.
The Idea: A Guided Choice
So what can the friendly OS developer do about this? A great deal I think. The OS have quite a bit of structured metadata about the app available to help here.
For instance, most application stores these days have some form of categorization of the content. An app can be a Game, and several different specific sub categories of Game; Puzzler, Platformer, etc. Most open source platforms use the XDG categories which is quite rich in this regard.
Now, simply cross ref the app category against a white listed set of permissions. A game that can play back audio and access the internet is probably not worth nagging the user about. However a game that can access your webcam or your address book, or spawn daemons that run after the app has been shut down, should be considered out of the ordinary.
Based on this categorization/permission cross ref the OS can compute a threat score, which could be shown to the user via green, yellow, and red badges on the app or something. And a threat score above X should probably simply be entirely disallowed in the store.
The threat score can be augmented in many ways – fx. certain combinations of permissions can also be considered dangerous. Like both being able to access your webcam and having full access to the internet.
The UI need not show anything else than this threat level badge by default, with the option to expand and explanation of why the threat-o-meter wound up the way you see.
Hawt New Wallpapers App
<blink>☠ This app has outrageous permissions. Only install if you blindly trust the developer</blink>
There’s a Back Door!
Basing the threat score on the app categorization of course opens the door up to simply changing your app’s category from Game to SystemTool.
But this will cost the app developer about 99% of the install base, if the app store’s user experience is in any way centered around the categories. So yes; there is a theoretical back door. But with consideration in the store’s UI I believe you can protect 99% of the user base adequately.