Name of API: Settings API References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=678695
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/jkzLINWWiQA/discussion
Brief purpose of API: API to configure device settings
General Use Cases: None
Inherent threats:
- Access sensitive configuration data (WiFi passwords etc)
- Change settings which might cost user money (data settings, roaming etc)
- Privacy implications
Threat severity: High
Regular web content (unauthenticated)
Use cases for unauthenticated code: Read/change non-sensitive settings
Authorization model for normal content: None
Authorization model for installed content: Implicit read access to limited settings. Write access via web activities.
Potential mitigations: Only non-sensitive settings will be exposed to regular apps.
Privileged (approved by app store)
Use cases for authenticated code: Modify a specific setting - e.g. e-book app modifies brightness in response to lighting conditions
Authorization model: Implicit
Potential mitigations: Access to a subset of lower risk settings
Certified (system-critical apps)
Use cases for certified code: replacement settings manager app
Authorization model: Implicit access to all settings
Potential mitigations: None