THIS PAGE IS A WORKING DRAFT
	The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page.

Where's My Fox

Overview

To provide a means for users to locate, track and purge devices remotely.

Project Contacts

Principal Point of Contact - Doug Turner dougt@mozilla.com

Product - vishy@, elancaster@

IRC - #services-dev

Group Email - TBD

Goals

• Be able to provide a simple, secure means for FirefoxOS users to remotely locate, track and purge their devices.

Use Cases

1) Albert can't remember the location of his phone. Going to a nearby computer, he logs into WheresMyFox and requests the phone to report it's location. The phone reports that it is nearby, so Albert requests the device to ring. Albert quickly finds that his phone is in his coat pocket.

2) Bea discovers that her phone is missing. Using a friends phone, she logs into WheresMyFox and requests the phone to report it's location. She discovers that the phone is currently headed down Broadway, and realizes she has left it in the cab. Realizing that she may never see her phone again, she requests the phone to remotely wipe itself, before calling the cab agency to see if she can recover her device.

Requirements

1. The user must use a secure credentialing and authorization system to identify self and associate to a device.
   1. The login system is currently Out of Scope of these requirements, but should be or substantially similar to Firefox Accounts.
   2. A user may have one or more devices.
   3. A device shall have a Globally Unique Identifier (WTFID).
   4. A device shall be associated with a single user.
2. Data exchanged between client and server shall be via JSON Web Signature format
   1. The secret shall be generated and stored on the client, and sent to the server ONLY on initialization.
      1. The secret shall be a 128bit value.
      2. The secret shall be stored on the device as long as the WTFID remains unchanged.
      3. A new WTFID shall require a new secret to be generated and the device to reconnect as if new.
      4. No data shall be preserved in the case of a WTFID changing.
   2. Data signatures shall use HMAC SHA-256 or any more secure signing method for any exchange EXCEPT for Initialization.
3. A remote wipe operation will format any additional storage (e.g. SD card) on the phone and reset the phone to initial Factory conditions.

• Only allow registered user to display and remotely control devices.
  • login page?
  • secured by session cookie
• Securely send commands to:
  • report location on a regular interval (for motion tracking)
    • record tracking information keeping latest location for device
    • older records expired after ? period ?
  • play a default audio alarm.
    • For known period? Forever? What happens if multiple of these commands sent?
  • lock a device
    • to a key code (if not present? Override?)
    • display an optional message
  • remove all user information from a device
    • Factory reset
    • Display message and contact phone
    • lock to a key code
• Securely display UI for phone including
  • current location
  • previous recent locations
• store user & device information (multiple devices)
  • How long to store data?
  • How reliable does storage need to be?

Get Involved

Call to action for folks who want to help.

Design

Points of Contact

Engineer - Name jr@

Discussions

https://etherpad.mozilla.org/wheresmyfox-2013-10-28

Client API Reference/Documentation

Client UX was presented by Epic:

https://www.dropbox.com/sh/uaxlhzz211br438/rH2UA0Tf6_/WIMF_3.0.pdf

Server API Reference/Documentation

API calls will be a combination of REST calls and BOSH where possible. This avoids some of the issues with the fragility of websockets in areas where connectivity is sub-optimal or sporadic.

In addition, packet identifiers have been reduced as much as possible. This is to both reduce bandwidth costs as well as require less time to exchange data.

To reduce risk of injection attacks, calls will use Hawk to sign requests (unless otherwise specified).

Data Schema

Since each server system will be unique, it does not make sense to strictly specify the data storage method. Instead an example storage mechanism will be offered to illustrate how the server would manage data.

A simple storage object would be keyed off of the ID returned in the /$v/init call.

   key => {"lastPosition":{"lat":lat,             // The last position reported by track
                           "lon":lon, 
                           "alt":altitude?,       // Optional "altitude", if provided
                           "tim":UTC},            // UTC Timestamp
           "previousPositions":[{position},...],  // the last 5? position reports for the device
           "state":"(rtn)",                       // the state the server thinks the device is in
           "lastExchange":UTC                     // last time an exchange happened.
           "pendingCommand": {outboundCommand}
           }
   
    user => ["key:name",...]               // A list of known keys & user friendly names for devices

API

For this API discussion:

$v - API Version (currently 1)

$id - Globally unique ID for a device

Unless otherwise specified, all exchanged JSON blocks are signed using HAWK (not shown here for simplicity).

POST /$v/init

Post the Init JSON block to the WMF server.

From Client (not wrapped in JWS):

   {"secret":bin64encoded 128b value}

Server Reply:

   200    {"id": $id}

GET /$v/cmd/$id

GET the next command from the Server. This call is triggered by a SimplePush version update.

From Server:

   {"c":COMMAND,
    ARGS}

where COMMAND is:

ring

cause the phone to ring constantly for duration seconds.
for example, the following will cause the device to ring for 60 seconds {"c":"r","d":60}

track

Have the phone report back it's location every period seconds
e.g. {"c":"t","p":20} will cause the phone to POST to /$v/cmd/$id every period {"c":"t", "t":"la":37.388017, "lo":-122.0833} The server may reply back to the "track" POST with either an empty 200 or a COMMAND object

cancel

Cancel the current activity ("ring" or "track"). {"c":"c", "a":"t"}

lost

Set a phone into "lost" mode. This may include a number of items, optionally displaying a callback number and message, lock a device to the provided key.

• Key codes are limited to 4 numerals.
• Contact Number can only consist of numerals plus "()- ".
• Messages must be less than 100 non-control, UTF8 characters.
  

Note: this needs to be stripped and scrubbed like nobody's business. It's potentially an attack vector.
{"c":"l", "k":1234, "m":"If found, please email reward@example.com", "n":"555-123-4567"}

message

Set a brief message on the lock screen of the phone. Messages must be less than 100 non control, UTF8 characters. {"c":"m", "m":"If found, please email reward@example.com" } Note: this needs to be stripped and scrubbed like nobody's business. It's potentially an attack vector.

erase

Factory Reset your device. Optional fields may include a contact number, message, and lock key. This information will be displayed on the device prior and during device erasure.

• Key codes are limited to 4 numerals.
• Contact Number can only consist of numerals plus "()- ".
• Messages must be less than 100 non-control, UTF8 characters.
  

Note: this needs to be stripped and scrubbed like nobody's business. It's potentially an attack vector.
Question: They go away after a factory reset, right? Otherwise you've either bricked or you're maintaining data across a formatting (bad idea). {"c":"e", "m":"commencing device termination"}

status

return the current status information about the device. format consists of:

• is the lock key present? True or False
• the current tracking location information for the device.

{"c":"s", "k":True, "t":{"la":37.388017, "lo":-122.0833}}

Response from device

For each command the client receives, the client optionally POSTs an Ack:

   {"command":"ack",
    "action":"command letter}

e.g. for the "ring" command:

   {"c":"a", "a":"r"}

Each client Ack may return an additional COMMAND object from the server.

Platform Requirements

What are the things this needs (OS, language, databases, etc.)?

Libraries Required

List of external project dependencies. (Stuff that's not pulled in via the installation script)

Code Repository

Links to the published code bases

Release Schedule

Predicted code delivery dates

QA

Points of Contact

Engineer - Ed Wong edwong@

Test Framework

Security and Privacy

Tracking bug: 935724

• Bug 935725 - Security Review: Where's My Fox
• Bug 935726 - Legal Review: Where's My Fox
• Bug 935727 - Privacy-Technical Review: Where's My Fox
• Bug 935728 - Privacy-Policy Review: Where's My Fox

Points of Contact

Legal - udevi@

Questionnaire Answers

1.1 Goal of Feature

2. Potential Threat Vectors and Mitigation Points

Review Status

https://bugzilla.mozilla.org/show_bug.cgi?id=935725

see https://wiki.mozilla.org/Security/Reviews

Issues and Resolutions

Operations

Points of Contact

Deployment Architecture

Bugzilla Tracking # -

Escalation Paths

Lifespan Support Plans

Logging and Metrics

Points of Contact

Tracking Element Definitions

Data Retention Plans

Dashboard URL

Customer Support

Points of Contact

Sumo Tags

Review Meeting