WebAPI/Security/MobileConnection
Jump to navigation
Jump to search
Name of API: Mobile Connection API
References:
- https://wiki.mozilla.org/WebAPI/WebMobileConnection
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/WKMpHavP9-Y/discussion
Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.
Use Cases: The primary use case for this is the status bar of the main phone UI.
Inherent threats: Access to sensitive information such as:
ICC-related (SIM/RUIM card) own phone number and other ICC I/O related features entering PIN, PIN2, PUK, PUK2 to unlock various states of the SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers deliver their SIM cards with the PIN lock enabled, for instance. changing the PIN (also serves as enabling/disabling the PIN lock.) device-related get IMEI, IMEISV depersonalize (remove network lock) baseband-related information and features
Threat severity: High
Regular web content (unauthenticated)
Use cases for unauthenticated code: None
Authorization model for normal content: None
Potential mitigations: None
Privileged (approved by app store)
Use cases for authenticated code: None
Authorization model: None
Potential mitigations: None
Certified (system-critical apps)
Use cases for certified code: Telephone status UI
Authorization model: Implicit
Potential mitigations: None
Notes
Some radio feature are also accessible via Settings API