A First Look at Firefox OS Security

With Firefox OS, Mozilla is making a serious push for an HTML5-based mobile platform. In order to assuage security concerns over providing hardware access to web applications, Mozilla has introduced a number of mechanisms that make the security landscape of Firefox OS distinct from both the desktop web and other mobile operating systems. From an application security perspective, the two most significant of these mechanisms are the the introduction of a default Content Security Policy and code review in the market. This paper describes how lightweight static analysis can augment these mechanisms to find vulnerabilities which have otherwise been missed. We provide examples of privileged applications in the market that contain vulnerabilities that can be automatically detected. In addition to these findings, we show some of the challenges that occur when desktop software is repurposed for a mobile operating system. In particular, we argue that the caching of certificate overrides across applications–a known problem in Firefox OS–generates a counter-intuitive user experience that detracts from the security of the system.

💡 Research Summary

The paper “A First Look at Firefox OS Security” provides a systematic examination of the security posture of Mozilla’s Firefox OS, a mobile platform built entirely on web technologies (HTML5, CSS, JavaScript). The authors focus on two primary defensive mechanisms that Mozilla has put in place for privileged applications: a default Content Security Policy (CSP) that is automatically applied at market submission, and a manual code‑review process conducted before an app is accepted into the official Firefox Marketplace.

Through empirical analysis of the market as of early 2014 (approximately 3,000 apps, of which 570 are privileged), the authors demonstrate that these mechanisms are insufficient to prevent a range of common but serious vulnerabilities. The most prevalent issue is HTML injection. While CSP blocks inline scripts, eval‑style constructs, and third‑party script sources, it does not restrict DOM APIs that interpret strings as markup, notably innerHTML and outerHTML. The study finds numerous privileged apps that directly assign user‑controlled data to innerHTML, creating a classic cross‑site scripting (XSS) vector that bypasses CSP.

A second class of problems concerns permission misuse. Many apps request powerful permissions (e.g., systemXHR, geolocation, audio-channel-content) in their manifest but never actually invoke the corresponding APIs. The authors built a permission‑usage map from the Firefox OS source code and identified at least 50 apps that request permissions they do not use, violating the principle of least privilege and increasing the attack surface should the app be compromised.

The paper also highlights the insecure handling of third‑party advertisements. Although the web model encourages isolation of ads via sandboxed iframes, the reference implementation used by many Firefox OS apps embeds ads in an unsandboxed iframe sourced from a data‑URI. Consequently, ad scripts run in the same origin as the host app and inherit all declared permissions, allowing an ad network to exploit any granted capability (e.g., audio capture, file storage). This design mirrors known Android issues but is arguably more dangerous because the ad code can change without the app’s knowledge.

A particularly novel finding concerns certificate override caching. In Firefox OS, when a user accepts a certificate error for a given domain, the override is cached globally across all applications rather than being scoped per‑app. Combined with the platform’s limited security UI, users receive little feedback that a connection is being made with a previously‑accepted, potentially malicious certificate. This cross‑application caching creates a counter‑intuitive user experience and a systemic security weakness that can be exploited by a man‑in‑the‑middle attacker.

To address the detection gap, the authors develop a lightweight static analysis tool built on the Acorn JavaScript parser and the Tern type‑inference engine. The tool performs a global data‑flow pass to construct def‑use chains for every variable, then applies heuristics to flag: (1) non‑literal values assigned to innerHTML/outerHTML; (2) permission declarations that lack corresponding API calls; and (3) use of data‑URI iframes for ads. Despite being neither sound nor complete, the analyzer successfully scanned the entire privileged‑app dataset in minutes on a commodity desktop, uncovering multiple vulnerable apps that had already passed Mozilla’s manual review.

The authors compare their tool to Mozilla’s existing “validator,” which checks manifest consistency and CSP violations. While the validator does warn about dynamic innerHTML usage, the high false‑positive rate renders the warnings largely ignored by reviewers. The new analyzer, by focusing on concrete data‑flow patterns, reduces noise and can be integrated into the existing validation pipeline or the broader ScanJS project.

Beyond technical findings, the paper discusses broader implications of repurposing desktop browser components for a mobile OS. The sandboxing model creates an expectation that side effects (e.g., certificate handling, permission usage) are confined to the originating app. When the platform violates this expectation—through global certificate overrides or shared permission scopes—the result is a subtle but exploitable security flaw.

In conclusion, the study shows that Firefox OS’s default CSP and marketplace code review, while valuable, do not fully protect privileged applications from common web‑based vulnerabilities. Lightweight static analysis can effectively augment these defenses, automatically identifying HTML injection, over‑privileged manifests, and insecure ad integration. Moreover, design choices such as global certificate‑override caching highlight the need for careful alignment of security policies with user‑experience expectations in web‑centric mobile platforms. The authors advocate for tighter integration of automated analysis tools into the app‑submission workflow and for revisiting platform‑level policies that currently expose users to cross‑application security risks.