Security/Reviews/Gaia/costcontrol
Jump to navigation
Jump to search
App Review Details
- App: Usage (gaia/apps/costcontrol)
- Review Date: Sept 2013 (In-Progress)
- Review Lead: Rob Fletcher (:omerta)
Overview
Usage application to see credit and data usage statistics.
Presents the user with a graph of either Mobile or Data usage or both. Also, allows the user to set notifications if usage exceeds a certain amount of usage; the user can also reset the usage amount being tracked.
Architecture
A certified app to be preinstalled on the phone.
Components
Relevant Source Code
Application Code
* debug.html - static file used for debug when DEBUGGING is true * fte.html - first time experience page; where the user lands first time using the app * handle_gaps.html - Handle Gaps * index.html - main app page; contains comments later pulled into HTML tags * message_handler.html - handle system messages * settings.html - view page for usage settings * widget.html - According #gaia, it is displayed in the notification tray of the system app
* js/CostControl.js - CostControl is the singleton in charge of provide data to the views by using asynchronous requests. * js/app.js - The application is in charge of display detailed information about the usage. * js/common.js - Common functions used throughout costcontrol * js/mindgap.js - This module is in charge of keep the historical of SIM changes in order to rebuild the accurate usage of each SIM. * js/view_manager.js - The ViewManager is in charge of simply manage the different views of the applications. * js/widget.js - The widget is in charge of show balance, telephony data and data usage statistics depending on the SIM inserted. * js/views/balance.js - The balance tab is in charge of show balance details and allows the use to manually update or top up via USSD or code. * js/views/datausage.js - The data usage tab is in charge of usage charts of mobile and wi-fi networks. * js/views/telephony.js - The telephony tab is in charge of show telephony and billing cycle information.
- shared/js/async_storage.js
- shared/js/l10n.js
- shared/js/l10n_date.js
- shared/js/lazy_loader.js
- shared/js/notification_helper.js
- shared/js/settings_listener.js
Permissions
- "sms":{} - sms-received, sms-sent system message.
- "mobileconnection":{} - access to SIM card, check service status
- "desktop-notification":{} - Notify user, with desktop notification, they've exceeded usage
- "settings":{ "access": "readonly" } - to read settings... but I don't see any references to mozSettings() except in a test
- "networkstats-manage":{} - Obtain statistics of data usage
- "alarms": {}, - alarm system message
- "telephony": {}, - telephony-call-ended system message.
- "storage": {} - use storage without size limitations
Web Activity Handlers
The application makes the following activities available to other apps:
- "costcontrol/balance" - simply change hash to #balance-tab
- "costcontrol/telephony" - simply change hash to #telephony-tab
- "costcontrol/data_usage"- simply change hash to #datausage-tab
Web Activity Usage
The following activities are initiated:
- dial - Used to dial webtelephony/number when "tapping Top Up and Pay"; appears to be related to users getting more credit on prepaid phones.
Notable Event Handlers
Code Review Notes
1. XSS & HTML Injection attacks
- No vulnerable or questionable code has been found. The application only builds HTML from static sources already defined. No user input is used to generate HTML elements or attributes.
Suspicious but OK
~/work/code/gaia/apps/costcontrol/js/view_manager.js:111 - panel.innerHTML = panel.childNodes[i].nodeValue;
- grabbing static HTML defined in a comment block inside index.html
~/work/code/gaia/apps/costcontrol/js/settings/settings.js:131 - src.innerHTML = xhr.responseText;
- XHR is fetching /debug.html which has no variable data
~/work/code/B2G/gaia/apps/costcontrol/js/view_manager.js:138 - var script = document.createElement('script');
- finds all defined script tags and redfines them, then appends to page
- <script type="text/javascript" defer="" src="js/fte.js"></script> is redefined as
<script src="js/fte.js" id="js/fte.js" type="application/javascript"></script>