WebAPI/Security/MobileConnection: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
Name of API: Mobile Connection API
== Mobile Connection API ==
 
References:
*https://wiki.mozilla.org/WebAPI/WebMobileConnection
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/WKMpHavP9-Y/discussion
 
Brief purpose of API: This exposes information about the current mobile voice and data  connection to (certain) HTML content.
Brief purpose of API: This exposes information about the current mobile voice and data  connection to (certain) HTML content.


Line 22: Line 17:
Threat severity: High
Threat severity: High


== Regular web content (unauthenticated) ==
References:
Use cases for unauthenticated code: None
*https://wiki.mozilla.org/WebAPI/WebMobileConnection
 
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/WKMpHavP9-Y/discussion
Authorization model for normal content: None
 
Potential mitigations: None
 
== Privileged (approved by app store) ==
Use cases for authenticated code: None
 
Authorization model: None
 
Potential mitigations: None
 
== Certified (system-critical apps) ==
Use cases for certified code: Telephone status UI
 
Authorization model: Implicit


Potential mitigations: None
{| border="1" class="wikitable"
! Type
! Use Cases
! Authorization Model
! Notes & Other Controls
|-
| Web Content || None || No access
|-
| Installed Web Apps || None || No access
|-
| Privileged Web Apps || None || No access
|-
| Certified Web Apps ||  Telephone status UI || Implicit
|}


==Notes==
=== Notes ===
Some radio feature are also accessible via Settings API
Some radio feature are also accessible via Settings API


__NOTOC__
__NOTOC__

Revision as of 13:34, 24 September 2012

Mobile Connection API

Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.

Use Cases: The primary use case for this is the status bar of the main phone UI.

Inherent threats: Access to sensitive information such as:

ICC-related (SIM/RUIM card)
own phone number and other ICC I/O related features
entering PIN, PIN2, PUK, PUK2 to unlock various states of the  SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers  deliver their SIM cards with the PIN lock enabled, for instance.
changing the PIN (also serves as enabling/disabling the PIN lock.)
device-related
get IMEI, IMEISV
depersonalize (remove network lock)
baseband-related information and features

Threat severity: High

References:

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps Telephone status UI Implicit

Notes

Some radio feature are also accessible via Settings API