WebAPI/Security/MobileConnection

From MozillaWiki
< WebAPI‎ | Security
Revision as of 07:50, 12 June 2012 by Ptheriault (talk | contribs) (Created page with "Name of API: Mobile Connection API Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection Brief purpose of API: This exposes information about the current mobile voice ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Name of API: Mobile Connection API Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection

Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.

Use Cases: The primary use case for this is the status bar of the main phone UI.

Inherent threats: Access to sensitive information such as: 

ICC-related (SIM/RUIM card)
own phone number and other ICC I/O related features
entering PIN, PIN2, PUK, PUK2 to unlock various states of the  SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers  deliver their SIM cards with the PIN lock enabled, for instance.
changing the PIN (also serves as enabling/disabling the PIN lock.)
device-related
get IMEI, IMEISV
depersonalize (remove network lock)
baseband-related information and features

Threat severity: High

Regular web content (unauthenticated)

Use cases for unauthenticated code: None Authorization model for normal content: None Potential mitigations: None

Trusted (authenticated by publisher)

Use cases for authenticated code: None Authorization model: None Potential mitigations: None

Certified (vouched for by trusted 3rd party)

Use cases for certified code: Telephone status UI Authorization model: Implicit Potential mitigations: None

Notes: Some radio feature are also accessible via Settings API

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/MobileConnection&oldid=440195"