One of the more interesting items out of the just-concluded Mobile World Conference in Barcelona was the announcement of the Firefox OS which, as Mozilla CEO Gary Kovacs rather colorfully noted, is “taking [the Web] to mobile.”

More than the announcements of how many manufacturers and carriers will release Firefox OS devices, what sets Mozilla’s new mobile OS apart is its heavy usage of HTML5. Firefox OS apps are meant to be coded using HTML5 and other open standards, without the use of proprietary tools or technology.

So far, the majority of what has been released about the Firefox OS hasn’t really been aimed at security researchers or analysts (although there are some good resources on the Mozilla developers site). Instead, it’s been aimed at app developers, would-be users, and mobile carriers – the people who need to adapt Firefox OS relatively quickly in order to make it successful. Devices that support Firefox OS haven’t even been released to developers, let alone the public, yet.

What we can do is look at the overall security of HTML5 to tell what kind of environment Firefox OS apps will be operating in. We know that HTML5 is definitely powerful enough to be a useful application platform – but this also means that malicious behavior can also be performed with HTML5. Attacks can also be carried out over HTML5. Of course, all of these can be done with native code as well, so HTML5 is not at an advantage or disadvantage when it comes to power or security.

Read the rest of this entry »