WebAPI/Security/WebNFC

From MozillaWiki
< WebAPI‎ | Security
Revision as of 14:51, 27 March 2015 by Arroway (talk | contribs) (add doc and reference)
Jump to navigation Jump to search

Name of API: WebNFC API Reference:

Brief purpose of API: Allow core (certified) and privileged apps to interact directly with NFC devices

General Use Cases: sharing content (media files, contacts) with NFC pairing, read/write NFC tags


Inherent threats:

  • Theft of sensitive data
  • Device compromise (configuring NFC device)
  • Potential for financial impact (payments via NFC) - cf the Secure Element API

Threat severity: Critical

Regular web content (unauthenticated) Use cases for unauthenticated code: None

Authorization model for normal content: None

Authorization model for installed content: None

Potential mitigations: N/A

Trusted (authenticated by publisher)

Same as for installed unauthenticated app

Certified (vouched for by trusted 3rd party)

Use cases for certified code:

  • Configure, enable/disable NFC devices.
  • Interact with NFC devices.
  • Manage NFC payments.

Security Review

Scope of Review

Gaia

  • System Application changes
  • Web Activities
  • System messages
  • Communication between system app and NFC client app
  • Certified NFC applications
  • 3rd party NFC apps

Out of scope for now:

  • Wallet Application (see Secure Element API)
  • Certified transportation/miFare applications

Gecko

  • mozNfc APIs
  • Gecko Permissions
  • Messaging (NFC:* messages, system messages)
  • NFC System worker
  • Interface to nfcd on IPC socket

Out of scope:

  • Secure elements
    • access control
    • integration with RIL

Gonk

  • NFC Daemon (nfcd)
  • Interface to lib

Documentation and reference

Key Bugs

Security Review: WebNFC bug 749325
Feature Bug (meta): https://bugzilla.mozilla.org/show_bug.cgi?id=860906
Dependent bugs: https://bugzilla.mozilla.org/showdependencytree.cgi?maxdepth=2&id=860906&hide_resolved=0


Gonk
NFC Daemon for B2G (daemon for supporting lib-nxp): bug 860907
B2G NFC: NFC Daemon for supporting libnfc-nci (daemon for supporting lib-nci): bug 906579
B2G NFC: Define protocol to communicate between nfcd and b2g: bug 897312

Gecko
WebNFC (near-field communication): bug 674741

Gaia
B2G Gaia Integration for NFC: bug 860910

Secure Element Support
NFC Secure Element Support: bug 879861 Support Nfc Access Control for Secure Element Access: bug 884594

Documentation about the NFC API:

https://developer.mozilla.org/en-US/docs/Web/API/NFC_API
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API/Using_the_NFC_API
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API/Using_the_NFC_emulator

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/WebNFC&oldid=1064873"