WebAPI/Security/Bluetooth: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
===Web Bluetooth API===
==Web Bluetooth API==
References:
*https://bugzilla.mozilla.org/show_bug.cgi?id=674737
*https://wiki.mozilla.org/WebAPI/WebBluetooth
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/ztmSvKP3Z8U/discussion
 
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices.  This includes setting properties on  adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices.  This includes setting properties on  adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.


Line 13: Line 8:
Threat severity: High
Threat severity: High


== Regular web content (unauthenticated) ==
References:
Use cases: None
*https://bugzilla.mozilla.org/show_bug.cgi?id=674737
*https://wiki.mozilla.org/WebAPI/WebBluetooth
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/ztmSvKP3Z8U/discussion


Authorization model for normal content: None
=== Permissions Table===


Authorization model for installed content: None
{| border="1" class="wikitable"
 
! Type
Potential mitigations:
! Use Cases
 
! Authorization Model
== Privileged (approved by app store) ==
! Notes & Other Controls
Use cases: None
|-
 
| Web Content || None || No access ||
Authorization model: None
|-
 
| Installed Web Apps || None || No access ||
Potential mitigations:
|-
 
| Privileged Web Apps || None || No access ||
== Certified (system-critical apps) ==
|-
Use cases:
| Certified Web Apps ||
*Read bluetooth adapter state
*Read Bluetooth adapter state
*Start/Stop device discovery
*Start/Stop device discovery
*List discoverd devices
*List discovered devices
*Pair with device
*Pair with device  
 
|| Implicit || Potential mitigations:  Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection.  Potentially limits on device types.
Authorization model: Implicit
|}
 
Potential mitigations:  Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection.  Any limit on types of devices?


==Notes==
=== Notes ===
Non-certified use cases are out of scope for 1.0.  We will consider those for a subsequent release.
Non-certified use cases are out of scope for 1.0.  We will consider those for a subsequent release.


__NOTOC__
__NOTOC__
[[Category:Web APIs]]
[[Category:Security]]

Latest revision as of 23:40, 1 October 2014

Web Bluetooth API

Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.

General Use Cases:

Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state

Threat severity: High

References:

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps
  • Read Bluetooth adapter state
  • Start/Stop device discovery
  • List discovered devices
  • Pair with device
 Implicit Potential mitigations: Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection. Potentially limits on device types.

Notes

Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release.

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Bluetooth&oldid=1021332"