Mozilla Banks Mobile Future on HTML5 Security

At the Mobile World Congress this year in Barcelona, Mozilla announced their push into the Chinese, Indian, and Brazilian low-budget market with their sub-$30 lineup of smartphones and tablets that will be hitting shelves globally in 2014. Relying solely on a HTML5 web-based architecture,  Firefox OS will supposedly usher in a new era of cheap, fast, efficient smartphones and tablets that are also safe, secure, and capable of keeping the secrets of our credit cards tucked away in our wallets where they belong.


History repeating itself

It’s 1975 and a young developer who dropped out of college to pursue his dream of running a software company breaks free from the norm and starts offering a product built on top of an entirely new architecture, one that hasn’t been fully tested or approved by anyone for more than a few years yet.

It runs lighter and faster than anything else, but it’s also riddled with security flaws, backdoors, and unseen consequences of programming that have gone patched and unpatched again and again in a seemingly endless war that’s been fought for upwards of three long, virus-filled decades now.

I’ll give you two guesses.

For anyone left in the dark, the answer is Microsoft and what started out as BASIC, morphed into DOS, and now makes up the Windows (XP, 7, and 8) we all love and hate today. Since its inception, Windows and the desktops it relied on to operate were offered at significantly lower prices than their counterparts sold by Apple, which meant for a good decade and a half, they also outsold them at a rate of five-to-one. Because of its nearly 96% total market adoption rate, it’s also the most highly targeted and scrutinized OS of all, so much so that Apple was able to gain that missing 3% back in the past few years just by running ads that essentially boiled down to “Windows infected, Mac clean” drilled into people’s heads repeatedly by comedians John Hodgeman and Justin Long.

(And by now we all know that not even OSX or iOS are impervious to the threats they were long able to avoid under a shroud of relative obscurity.)

Can we trust HTML5?

As a programming and web development language, HTML5 is only about four years old, and much like its age would suggest, still has quite a few kinks and stops that need to be worked out before anyone pins a medal on their lapel for “Best Certificate Pinning”. Dr. Li Gong, Senior Vice President of Mobile Devices and President of Asia Operations for Mozilla, is still obviously very optimistic about the corporation’s next venture.

“The combination of Firefox OS with Spreadtrum’s entry-level smartphone platforms has the potential to dramatically extend the reach of smartphones and the Web globally. “Firefox OS delivers a customized, fun and intuitive experience for first-time smartphone buyers and our collaboration with Spreadtrum enables the industry to offer customers an extremely affordable way to get a smartphone and connect with Web apps.”

HTML5 is an impressive step in the right direction toward preventing innocent people from losing their identities and finances to scammers online. However, it’s still the earliness and inexperienced infancy of the platform that worries security researchers from numerous notable firms. Researchers from FireEye, F-Zero, and Symnatec have have come out to question Mozilla’s claims that their solution to low-cost device distribution is the absolute safest way to do your banking or communicate with friends online, and still have yet to see the widespread implications of HTML5 functioning as a centralized network hub for hundreds of millions of devices at once.

The company believes it’s the inherently fast and flexible nature of HTML5 that will enable them to constantly update their OS with the latest and greatest security fixes, patching flaws and distributing updates more often and efficiently than any other mobile solution available on the market right now.

“Subsequent upgrades and patches to the Firefox OS platform are deployed using a secure Mozilla process that ensures the ongoing integrity of the system image on the mobile phone. The update is created by a known, trusted source — usually the device OEM — that is responsible for assembling, building, testing, and digitally signing the update package.”

If developers plan to ride on the laurels of the current state of browser security as a safeguard against the incoming tidal wave of users waiting right on the other side of the next big trend, they’re going to need to take user privacy and security more seriously than they have so far. Right now those engineers are the only only thing preventing the situation from snowballing into the same size department that a certain Redmond, WA software giant relies on just to maintain a basic status quo against the army of hackers trying to break into their vaults every day.