WebAPI/Security/WebTelephony: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
No edit summary |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== WebTelephony == | |||
Brief purpose of API: Make and receive phone calls | Brief purpose of API: Make and receive phone calls | ||
General Use Cases: None | General Use Cases: None | ||
| Line 19: | Line 14: | ||
Threat severity: high to critical, confidential information disclosure and direct financial risk | Threat severity: high to critical, confidential information disclosure and direct financial risk | ||
References: | |||
*WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony | |||
*B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235 | |||
*Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726 | |||
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion | |||
== | {| border="1" class="wikitable" | ||
! Type | |||
! Use Cases | |||
! Authorization Model | |||
! Notes & Other Controls | |||
|- | |||
| Web Content || click on a phone number in an email or browser to dial || No direct access (access via web activities) || When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger. | |||
|- | |||
| Installed Web Apps || As Above || No direct access (access via web activities) || As above. | |||
|- | |||
| Privileged Web Apps || As Above || No direct access (access via web activities) || As above. | |||
|- | |||
| Certified Web Apps || | |||
* Handler for telephony web activities | * Handler for telephony web activities | ||
* Replacement dialer | * Replacement dialer | ||
* Voice conference software (e.g. connect Voip with a mobile call)? | * Voice conference software (e.g. connect Voip with a mobile call)? | ||
* Mediate incoming calls (accept/reject/merge) | * Mediate incoming calls (accept/reject/merge) | ||
* Query transceiver state | * Query transceiver state | ||
|| Implicit | |||
|} | |||
__NOTOC__ | |||
[[Category:Web APIs]] | |||
[[Category:Security]] | |||
Latest revision as of 23:42, 1 October 2014
WebTelephony
Brief purpose of API: Make and receive phone calls
General Use Cases: None
Inherent threats:
- Place calls to high cost numbers,
- Route calls through high cost network,
- Direct calls through MITM network (spying).
- Possibly with audio API, record phone calls, record touch tone signals (account numbers?).
- In addition, there is a high likelihood that this API will need to be controlled for legal reasons.
Threat severity: high to critical, confidential information disclosure and direct financial risk
References:
- WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
- B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
- Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | click on a phone number in an email or browser to dial | No direct access (access via web activities) | When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger. |
| Installed Web Apps | As Above | No direct access (access via web activities) | As above. |
| Privileged Web Apps | As Above | No direct access (access via web activities) | As above. |
| Certified Web Apps |
|
Implicit |