WebAPI/Security/Settings

From MozillaWiki
< WebAPI‎ | Security
Revision as of 21:37, 6 August 2012 by Ladamski (talk | contribs)
Jump to navigation Jump to search

Name of API: Settings API References:

Brief purpose of API: API to configure device settings

General Use Cases: None

Inherent threats:

  • Access sensitive configuration data (WiFi passwords etc)
  • Change settings which might cost user money (data settings, roaming etc)
  • Privacy implications

Threat severity: High

Regular web content (unauthenticated)

Use cases for unauthenticated code: Read/change non-sensitive settings

Authorization model for normal content: None

Authorization model for installed content: Implicit read access to limited settings. Write access via web intents.

Potential mitigations: Only non-sensitive settings will be exposed to regular apps.

Privileged (approved by app store)

Use cases for authenticated code: Modify a specific setting - e.g. e-book app modifies brightness in response to lighting conditions

Authorization model: Implicit

Potential mitigations: Access to a subset of lower risk settings

Certified (system-critical apps)

Use cases for certified code: replacement settings manager app

Authorization model: Implicit access to all settings

Potential mitigations: None

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Settings&oldid=458300"