WebAPI/Security/WebNFC

From MozillaWiki
< WebAPI‎ | Security
Revision as of 14:40, 27 March 2015 by Arroway (talk | contribs) (Add scope of review)
Jump to navigation Jump to search

Name of API: WebNFC API Reference:

Brief purpose of API: Allow core (certified) and privileged apps to interact directly with NFC devices

General Use Cases: sharing content (media files, contacts) with NFC pairing, read/write NFC tags


Inherent threats:

  • Theft of sensitive data
  • Device compromise (configuring NFC device)
  • Potential for financial impact (payments via NFC) - cf the Secure Element API

Threat severity: Critical

Regular web content (unauthenticated) Use cases for unauthenticated code: None

Authorization model for normal content: None

Authorization model for installed content: None

Potential mitigations: N/A

Trusted (authenticated by publisher)

Same as for installed unauthenticated app

Certified (vouched for by trusted 3rd party)

Use cases for certified code:

  • Configure, enable/disable NFC devices.
  • Interact with NFC devices.
  • Manage NFC payments.

Security Review

Scope of Review

Gaia

  • System Application changes
  • Web Activities
  • System messages
  • Communication between system app and NFC client app
  • Certified NFC applications
  • 3rd party NFC apps

Out of scope for now:

  • Wallet Application (see Secure Element API)
  • Certified transportation/miFare applications

Gecko

  • mozNfc APIs
  • Gecko Permissions
  • Messaging (NFC:* messages, system messages)
  • NFC System worker
  • Interface to nfcd on IPC socket

Out of scope:

  • Secure elements
    • access control
    • integration with RIL

Gonk

  • NFC Daemon (nfcd)
  • Interface to lib
Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/WebNFC&oldid=1064870"