WebAPI/Security/DeviceStorage: Difference between revisions
No edit summary |
mNo edit summary |
||
| Line 1: | Line 1: | ||
Name of API: Device Storage | Name of API: Device Storage | ||
References:<br> | |||
https://wiki.mozilla.org/WebAPI/DeviceStorageAPI<br> | |||
*https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/9b5e3f55ea2c42f8 | *https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/9b5e3f55ea2c42f8 | ||
Revision as of 11:47, 25 June 2012
Name of API: Device Storage
References:
https://wiki.mozilla.org/WebAPI/DeviceStorageAPI
Brief purpose of API: Let content access files based on name and type. Can be enumerated.
Inherent threats: Use excessive resources (file space), read files, change or delete files. Files could potentially contain confidential information.
Threat severity: high to critical - privacy concerns, loss of user data, access to confidential data.
Regular web content (unauthenticated)
Use cases for unauthenticated code: Access a previously taken profile picture, select a song to play.
Authorization model for uninstalled web content: Explicit (OS Mediated)
Authorization model for installed web content: Explicit (OS Mediated)
Potential mitigations: Make sure the user knows what files is being accessed when asking permission. No option to remember permission. OS mediated interface (like file picker - via intents?).
Trusted (authenticated by publisher)
Use cases for authenticated code: Photo gallery
Authorization model: Explicit
Potential mitigations: Granting permission only for a particular type of file (images, pdf, etc). In the short run we will rely on the "intended usage" to communicate to the user the risk of permitting this access.
Certified (vouched for by trusted 3rd party)
Use cases for certified code: File manager
Authorization model: Implicit
Potential mitigations: None.
Notes
Ideally permission should be given on a type basis (i.e. enforce the "intended usage" at runtime). So giving permission to access music doesn't automatically give permission to photos. If the type is a string literal when the code is reviewed, that would mitigate the issue. Otherwise sub-permissions for types (device-storage.music) or separate permissions for each type (device-storage-music) would be needed. Also has the benefit that it allows the permission prompt to be more explicit about what is being granted.