WebAPI/Security/Settings: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Name of API: Settings API
== Settings API ==
References:
*https://bugzilla.mozilla.org/show_bug.cgi?id=678695
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/jkzLINWWiQA/discussion
 
Brief purpose of API: API to configure device settings
Brief purpose of API: API to configure device settings


Line 15: Line 11:
Threat severity: High
Threat severity: High


== Regular web content (unauthenticated) ==
References:
Use cases for unauthenticated code: Read/change non-sensitive settings
*https://bugzilla.mozilla.org/show_bug.cgi?id=678695
 
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/jkzLINWWiQA/discussion
Authorization model for normal content: None
 
Authorization model for installed content: Implicit read access to limited settings. Write access via web intents.  
 
Potential mitigations: Only non-sensitive settings will be exposed to regular apps.
 
== Privileged (approved by app store) ==
Use cases for authenticated code: Modify a specific setting - e.g. e-book app modifies brightness in response to lighting conditions
 
Authorization model: Implicit
 
Potential mitigations: Access to a subset of lower risk settings
 
== Certified (system-critical apps) ==
Use cases for certified code: replacement settings manager app


Authorization model: Implicit access to all settings
=== Permissions Table===
{| border="1" class="wikitable"
! Type
! Use Cases
! Authorization Model
! Notes & Other Controls
|-
| Web Content || None || No access
|-
| Installed Web Apps || None || No access
|-
| Privileged Web Apps || None || No access
|-
| Certified Web Apps || Settings manager app || Implicit
|}


Potential mitigations: None
[[Category:Web APIs]]
[[Category:Security]]

Latest revision as of 23:42, 1 October 2014

Settings API

Brief purpose of API: API to configure device settings

General Use Cases: None

Inherent threats:

  • Access sensitive configuration data (WiFi passwords etc)
  • Change settings which might cost user money (data settings, roaming etc)
  • Privacy implications

Threat severity: High

References:

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps Settings manager app Implicit
Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Settings&oldid=1021349"