WebAPI/Security/MobileConnection: Difference between revisions

Name of API: Mobile Connection API

Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection

Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.

Use Cases: The primary use case for this is the status bar of the main phone UI.

Inherent threats: Access to sensitive information such as:

ICC-related (SIM/RUIM card)
own phone number and other ICC I/O related features
entering PIN, PIN2, PUK, PUK2 to unlock various states of the  SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers  deliver their SIM cards with the PIN lock enabled, for instance.
changing the PIN (also serves as enabling/disabling the PIN lock.)
device-related
get IMEI, IMEISV
depersonalize (remove network lock)
baseband-related information and features

Threat severity: High

Regular web content (unauthenticated)

Use cases for unauthenticated code: None

Authorization model for normal content: None

Potential mitigations: None

Privileged (approved by app store)

Use cases for authenticated code: None

Authorization model: None

Potential mitigations: None

Certified (system-critical apps)

Use cases for certified code: Telephone status UI

Authorization model: Implicit

Potential mitigations: None

Notes

Some radio feature are also accessible via Settings API

__NOTOC_