WebAPI/Security/SMS

From MozillaWiki
< WebAPI‎ | Security
Revision as of 00:31, 2 May 2012 by Ladamski (talk | contribs) (Created page with "Name of API: Web SMS API References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725 Brief purpose of API: Send and recieve SMS messages General Use Cases: None Inherent ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Name of API: Web SMS API

References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725

Brief purpose of API: Send and recieve SMS messages

General Use Cases: None

Inherent threats:

  • Sending an SMS costs user money, premium SMS services, SMS payments etc
  • Receiving SMS has privacy implications, SMS also used for 2-factor authentication

Threat severity: critical per https://wiki.mozilla.org/Security_Severity_Ratings

Regular web content (unauthenticated)

Use cases for unauthenticated code: App prompts user to send SMS

Authorization model for uninstalled web content: Explicit (via web activities)

Authorization model for installed web content: Explicit (via web activities)

Potential mitigations:

Trusted (authenticated by publisher)

Use cases for authenticated code: Full-featured SMS app. Read & send SMS.

Authorization model: Explicit

Potential mitigations: Check your phone bill?

Certified (vouched for by trusted 3rd party)

Use cases for certified code: SMS app

Authorization model: Implicit

Potential mitigations: None beyond certification

Note: Should trusted apps be able to register as handlers for SMS web activities/intents, or only certified apps?