What seperates Certified and Privileged apps on KaiOS?

Summary

Privileged vs Certified. Packaged apps on KaiOS are bundled as ZIP files, containing all the HTML, CSS, and JS needed to run locally on device. There are two types of packaged apps: Privileged and Certified. The latter is the highest security level available, granting the app access to nearly all permissions and features afforded primarily to System apps.

Why go Certified? The most obvious reason is if you need a permission that is marked only for Certified apps. You might also find that writing a Certified app offers access to “hidden” features for deeper system integration and a better user experience.

Certified Games: Perhaps surprisingly, the majority of Certified apps KaiOS Ecosystem published on the KaiStore are actually games that leverage the sms permission to retrieve a 2-factor one time password (OTP) without needing to leave the game itself!

Permissions

• Can access specific permissions (see KaiOS Permissions)
• Can access specific permissions without user prompts (Source: PermissionsInstaller.jsm)
• Certain permission checks are skipped, i.e. AUDIO_3GPP (Source: MediaRecorder.cpp)

Features

• Get the list of allowed audio channels via readonly properties navigator.mozAudioChannelManager.allowedAudioChannels with the system-app-only-audio-channels-in-app permission (Source: AudioChannelManager.cpp)
• Enables ECMA-402 experimental DateTimeFormat “formatToParts” method, later added to Firefox 51 (Source: WorkerScope.cpp)
• Can access special DOM events like "largetextenabledchanged" (Source: nsGlobalWindow.cpp)
• Can get precise battery percentage without rounding (Source: BatteryManager.cpp)
• Certified apps can vibrate while in the background (Source: Navigator.cpp)
• Can enumerate unfiltered activity providers from the application registry (Source: ActivityProxy.js)

System Messages and IPC

• Can respond to special system messages like bluetooth-pairing-request (Source: SystemMessagePermissionsChecker.jsm)
• Can interact via Inter-App Communications (IAC) (Source: InterAppCommService.jsm)
• Can initiate special activities like "internal-system-engineering-mode" (Source: ActivitiesService.jsm)

Behind the Scenes

• Can set sample size fragment which is disabled behind "image.mozsamplesize.enabled" boolean preference (Source: ImageFactory.cpp)
• Can re-use the same process (Source: ContentParent.cpp)

Manifest

• Can have app role of theme or addon (Source: AppsUtils.jsm)
• Certified apps have a more strict Content Security Policy (CSP) (Source: b2g.js)

Bonus

• Exposes the boolean scrollgrab property on any HTMLElement, initially created in Bug #912666 for iframe containers to alter AsyncPanZoomController (APZC) behavior (Source: nsGenericHTMLElement.cpp, read more in AsyncPanZoom.md
• Can override to any audience via navigator.mozId first referenced in Bug #947374 (Source: Identity.webidl)
• Installation might be blocked during sideloading, based of certain permissions listed in the device preference devtools.debugger.forbid-certified-apps (Source: debugger.js)

Publishing

The KaiStore does not provide specific guidance for publishing Certified apps. From my own experience, developers typically need to provide a justification for why their app needs to be Certified, and disclose source code for KaiOS to review to ensure the permissions are not used for malicious purposes. Remember, Certified apps have access to nearly every permission including killswitch, which can brick a device, so they need to be vetted more thoroughly.

Developing and publishing Certified apps can be complicated, but can also facilitate deeper integration and an improved user experience. If you are interested in developing high-quality KaiOS applications with deep system integration, learn more about the author and find contact information on the About page.

• Previous
  Bluetooth Low Energy on KaiOS
• Next
  What's Next for the JioPhone?