Create Task
Maniphest T12791

[Akonadi][Security][RFC] Let user authorize (and revoke) access of apps to Akonadi
Open, Needs TriagePublic
Actions

Description

This is a dump of an idea I got the other day related to a specific paragraph in our Privacy Policy:

Some user's personal information and data obtained from third party services are cached locally by a background service called Akonadi, which is part of Kontact. It is possible for any locally running software to interact with Akonadi and thus access, modify or delete any data stored there.

Basically, any software that user installs can quietly connect to Akonadi, retrieve user's PIM data and do anything it wants with them, including deleting all user's PIM data (locally and remotely) or stealing them and sending them to a potential attacker.

My idea was to introduce a mechanism when each new client and resource that connects to Akonadi needs to authenticate itself. The first time it tries to connect, it needs to ask for authorization. To this, Akonadi responds by showing a dialog to the user with information about a new program trying to access the user's PIM data and whether the user approves or not. Upon approval, the server would generate some secret token that it would share with the client. All future connections from the client would be authenticated using the token so that Akonadi doesn't endlessly spam the user with permission dialogs. The clients can store the tokens for instance in KWallet. Some UI needs to be added to allow the user to revoke the permission as well.

This is not really about securing the data in a way that nothing else but Akonadi can access them (a malicious program could still just copy contents of ~/.local/share/akonadi), but about informing the user which software accesses their PIM data in Akonadi, and allowing them to revoke the access and block the app.

There are some design questions:

  1. How to make it as hard as possible for a malicious app to impersonate a known application (KMail) or how to make it easier for the user to spot it
  1. How to store the tokens server-side in a somewhat secure manner (KWallet?)
  1. Should part of this task be also protecting access to the Akonadi database, so that only the Akonadi process can connect to it? Right now any process running with user's privileges has access to the database
dvratil created this task.Mar 8 2020, 2:44 PM
dvratil updated the task description. (Show Details)
alexde added a subscriber: alexde.Mar 8 2020, 3:18 PM