Security/B2G/USB file-reading API: Difference between revisions

Initial security review
No edit summary
(Initial security review)
Line 1: Line 1:
{{SecTracker}}
{{SecTracker
|Component=USB File Reading API
}}
{{SecTrackerItem
{{SecTrackerItem
|Sectrackerstatus=OK
|Sectrackerstatus=OK
Line 8: Line 10:


===Background===
===Background===
Goals:
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system.  Mounting happens automatically, and the entire contents of the sdcard partition are available.
Add/Read/Modify files stored on memory cards and USB keys connected to the device. Get notified when storage devices are connected/disconnected.
Will be very similar to the Device Storage API above with a few additional methods.
 
Bug:
 
Articles:


Source:
Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153
Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048
Wiki: Not available.


===Open Questions===
===Open Questions===
Is access read-only?
If not, what damage could someone do by modifying files?
Is this enabled by default, or by enabling a setting?


===Threat Model===
===Threat Model===
{|
! ID!!Title!!Threat!!Proposed Mitigations!!Threat Agent!!Rating!!Likelihood!!Notes!!Impact!!Notes
|-
| 1||Casual data theft||User has data stolen by an attacker who has limited physical access||\"Disable mounting device while device is locked
|-
| \"||Attacker with physical access to the phone||mod||||Requires physical device access||||Access sensitive data.
|-
| 2||Casual data tampering||User has data modified by an attacker who has limited physical access||Limiting file access and permissions||Attacker with physical access to the phone||mod||||Requires physical device access||||Potentially make the phone non-functional
|-
| 3||Data theft/tampering if device is stolen||Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone||\"None  - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode).
|-
| Encryption of the file system is the only protection against this threat, and is outside the scope of this feature.\"||Attacker with physical access to the phone||||||||||
|}


===Authorization Model===
===Authorization Model===
Not applicable.


===Implementation Requirements===
===Implementation Requirements===
Prevent USB mounting when phone is locked.
Enforce permissions to prevent access to read or modify sensitive files.
Provide a setting to enable/disable feature, consider disabling by default.
canmove, Confirmed users
1,220

edits