Security/Reviews/Gaia/sms: Difference between revisions

App Review Details

• App: SMS
• Review Date: 3rd March 2014
• Latest Commit: https://github.com/mozilla-b2g/gaia/commit/db3b537b4a29be4849f45fb7ec27b77bb778a2a6
• Branch Reviewed : Master
• Reviewers : Stéphanie Ouillon & Paul Theriault

Overview

SMS app provides the ability to send and receive SMS/MMS messages. SMS was reviewed previously in jun 2013.

The main focus of this re-review was to include the addition of subject support in MMS (bug 919966) and delivery report support (bug 919977). The prior review can be found here.

Architecture

Components

SMS app is structed as a single HTML page. This page displays the list of SMS messages, UI for composing sms, viewing threads, deleting messages etc.

A message is composed of a phone number and optional body, contact and threadId. There is also web activity handlers so that other apps can ask the SMS app to send a message.

Inputs to the SMS app: SMS events from system, web activity requests, data from contacts, user input to write the SMS.

At startup, 4 components are initialized:

• ActivityHandler: application's global Activity handler to delegate to specific handler based on the Activity name; action when receiving a sms/mms.
• ThreadUI: UI actions (listeners, view initialization, message templating...)
• MessageManager: message actions (send, receive...)
• Settings: set the default mms message size limitation

Relevant Source Code

UI:

• action_menu.js
• attachment_menu.js
• compose.js - handle UI specifics of message composition
• dialog.js - generic confirm screen
• fixed_header.js
• information.js - Information view (delivery report)
• thread_list_ui.js - track current number of rendered threads
• thread_ui.js - manage threads
• waiting_screen.js

Actions:

• activity_handler.js - main activity handler
• activity_picker.js - to perform actions such as calling/adding/editing a contact, sending a sms/mms/email
• attachments.js - create an attachment object (media source and text)
• contacts.js - find/filter contacts
• blacklist.js - get the blacklisted numbers
• link_action_helper.js - link url/email/phone data in a message
• message_manager.js - send/received messages
• notify.js - notification on incoming message
• recipients.js - manage recipients list
• smil.js - handle SMIL document (layout of MMS message)
• startup.js

Settings:

• settings - default MMS size limitation if no operator specification

Util:

• link_helper.js - replace input strings by anchor links for url, phone, email
• utils.js - time, contact details, font size, carrier tag, etc.
• wbmp.js - decode the Wireless Bitmap image format (.wbmp is Wireless Application Protocol Bitmap Format)

Shared code:

• shared/js/l10n.js
• shared/js/lazy_loader.js

The *_mock.js files are not reviewed since they are test files.

Permissions

The sms app requires the following permissions:

 "permissions": {
   "sms":{},
   "storage":{},
   "mobileconnection": {},
   "contacts":{ "access": "readonly" },
   "settings":{ "access": "readonly" },
   "audio-channel-notification":{},
   "desktop-notification":{},
   "phonenumberservice":{}
 }

There are two new permissions:

• mobileconnection: used in settings.js for listening to mobile connection datachange before switching between SIMs .
• phonenumberservice: used for normalizing and comparing phone numbers

Web Activity Handlers

The SMS app handles two Activities, defined in activity_handler.js:

 "activities": {
   "new": {
     "filters": {
       "type": "websms/sms",
       "number": {
         "pattern":"[\\w\\s+#*().-]{0,50}"
       }
      },
     "disposition": "window"
   },
   "share": {
     "filters": {
       "type": ["image/*", "audio/*", "video/*"],
       "number": 1
      },
     "disposition": "window",
     "returnValue": true
   }
 }

• new - to create a new message and pre-populate message details (phone number, body, contact).
• share - to allow to send a media in attachment via a SMS/MMS, launching the sms app from another app.

Web Activity Usage

• blacklist.js gets the blacklist file by an XHR request to 'js/backlist.json'.
• ActivityPicker can make calls to several activities with web usage: new (mail), view (url)
• A pick Activity (with type ['image/*', 'audio/*', 'video/*']) is used to allow the user to create an attachment.
• A pick Activity (with type webontacts/contacts) is used to retrieve a Contact from the adress book.

Notable Event Handlers

The 'hashchange' event handler is used in threads.js and activity_handler.js.

Datastore access

Access to Facebook contacts:

 "datastores-access": {
   "Gaia_Facebook_Friends": {
     "description": "Facebook Friends"
   }   
 }

Code Review Notes

1. XSS & HTML Injection attacks

Data retrieved for delivery reports seems to be correctly rendered in the information panel. Timestamps come from Gecko. There is a few "innerHTML" but there are used alongwith templating (TMPL.*.interpolate).

2. Secure Communications

No comunication with any external services.

3. Secure data storage

Sms data is stored in indexeddb, which is stored inside the profile, which is to be protected via file permissions.

4. Denial of Service

No issues. Subject messages are limited to 140 characters.

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

No issues.

Actions & Recommendations

• See bug 912885