One of the more interesting items out of the just-concluded Mobile World Conference in Barcelona was the announcement of the Firefox OS which, as Mozilla CEO Gary Kovacs rather colorfully noted, is “taking [the Web] to mobile.”
More than the announcements of how many manufacturers and carriers will release Firefox OS devices, what sets Mozilla’s new mobile OS apart is its heavy usage of HTML5. Firefox OS apps are meant to be coded using HTML5 and other open standards, without the use of proprietary tools or technology.
So far, the majority of what has been released about the Firefox OS hasn’t really been aimed at security researchers or analysts (although there are some good resources on the Mozilla developers site). Instead, it’s been aimed at app developers, would-be users, and mobile carriers – the people who need to adapt Firefox OS relatively quickly in order to make it successful. Devices that support Firefox OS haven’t even been released to developers, let alone the public, yet.
What we can do is look at the overall security of HTML5 to tell what kind of environment Firefox OS apps will be operating in. We know that HTML5 is definitely powerful enough to be a useful application platform – but this also means that malicious behavior can also be performed with HTML5. Attacks can also be carried out over HTML5. Of course, all of these can be done with native code as well, so HTML5 is not at an advantage or disadvantage when it comes to power or security.
From an ideological perspective, one thing you could say is that Mozilla is quite ideologically committed to openness and choice. Does this mean that users are more likely to encounter malicious apps in Firefox OS, in contrast to the tightly controlled iOS experience? Until all the details of Firefox OS are made clear, we can’t be sure – but it is likely to be that way.
Ultimately, until Firefox OS makes its way to more users (and researchers), it’s hard to say how secure it will or won’t be. However, because of how its apps are built, it does pose a slightly different environment compared to either iOS or Android. I for one am interested to see how cybercriminals adapt to this new potential attack surface.