WebAPI/Security/Settings

From MozillaWiki

< WebAPI‎ | Security

Revision as of 21:53, 30 July 2012 by Ladamski (talk | contribs) (→‎Regular web content (unauthenticated))

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Name of API: Settings API Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=678695

Brief purpose of API: API to configure device settings General Use Cases: None

Inherent threats:

Access sensitive configuration data (wifi passwords etc)
Change settings which might cost user money (data settings, roaming etc)
Privacy implications

Threat severity: High

Regular web content (unauthenticated)

Use cases for unauthenticated code: Read/change non-sensitive settings
Authorization model for normal content: None
Authorization model for installed content: Implicit read access to limited settings. Write access via web intents.
Potential mitigations: Only non-sensitive settings will be exposed to regular apps.

Trusted (authenticated by publisher)

Use cases for authenticated code: Modify a specific setting - e.g. e-book app modifies brightness in response to lighting conditions
Authorization model: Implicit
Potential mitigations: Access to a subset of lower risk settings

Certified (vouched for by trusted 3rd party)

Use cases for certified code: replacement settings manager app
Authorization model: Implicit access to all settings
Potential mitigations: None

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Settings&oldid=456220"