The Firefox OS for mobile devices is built on Mozilla’s “Boot to Gecko project” which unlocks many of the current limitations of web development on mobile, allowing HTML5 applications to access the underlying capabilities of a phone, previously only Unix and Linux based mobile OSes available to native applications. Telefónica’s Digital unit joined forces with Mozilla earlier this year to take this work and showcase a new phone architecture where every phone feature (calling, messaging, games, etc.) is an HTML5 application.Wait.. what? Basically, the browser can interact directly with the operating system.. and this is being done at a time when vendors are trying to keep the browser as seperated as possible from the OS to mitigate against exploits.
This led me to pose the question in another publication: Firefox OS: will it be safe? Well, if you know Betteridge's Law of Headlines then the answer is probably "no".
We have been down this path before. ActiveX promised to allow the browser (in this case Internet Explorer) access to the system to allow it to do clever things. Yes, software authors could get their applications signed to demonstrate that they were trustworthy, but it was still a security nightmare. And despite the apparent death of ActiveX (when was the last time you installed an ActiveX component that wasn't Adobe Flash?) it still features prominently when it comes to patching.
And then there's Java. Java was meant to be safe because it was sandboxed from the rest of the machine it was running on, making it inherently safe. Fast forward to today.. and what is one of the most common vectors for malware infection? Yes, it's Java. Fundamentally the Java security model is broken, as the endless series of patches we see testifies to.
From a security perspective, keeping the browser just as a browser and limiting the interaction is has with the OS is the best approach. But the Firefox OS wants to turn that on its head. And while Mozilla will no doubt put in processes to try to ensure that it will be safe, the examples of Java and ActiveX show how difficult it can be to nail it down.
Why does it matter? There's a lot of hype about mobile malware at the moment, but in my experience it is still an almost insignificant threat. That will change though, as more and more smartphones and tablets are being used for financially sensitive transactions, and fundamentally a smartphone is just a small computer and it can be added to a botnet for evil purposes.
One last consideration is this - getting updates. As (mostly) Android users will know, OS updates tend to dry up shortly after launch leaving the underlying system vulnerable.. although Apple owners tend to get updates for a much longer time. Keeping on top of security threats will require Mozilla, the manufacturers and networks to co-operate closely to keep security updates rolling out. The Firefox OS model closely matched Android rather than Apple.. so Mozilla and its partners have their work cut out here too.
If you're interested, this article I wrote is a slightly different take on the subject.