Marketplace/Reviewers/Apps/Permissions
< Marketplace | Reviewers | Apps
(need to reformat below into a useful table and talk around it)
| Permission(s) | Use Case | Abuse Case | .. |
|---|---|---|---|
| alarms | similar to setTimeout, except the the app is started if it isn't currently running. Use by apps to do polling or other background processing.The intended use case is that the app can specify when it needs to be woken up to do processing. | Threats: battery life, CPU usage. Firing frequent alarms to prevent an app from being shut-down. | |
| audio-channel-normal, audio-channel-content, audio-channel-notification, audio-channel-alarm | competing with other audio channels, leave audio running when the user leaves the app (e.g. background music app). Hierarchy: normal & content < notification < alarm (< ringer < telephony <public notifications) | Poorly designed or belligerent channels which block other sound from being played. Using the "notification" or "alarm" channels for longer periods of time. Using the "content" channel for playing sounds that aren't expected to be played when the user isn't actively using the app. | |
| browser | Act a browser. Allows a the app to render web pages inside an iframe, as it was a normal top level browser frame. | Bypass same origin, eg using getScreenshot, not accurately displaying where the user is | |
| Contacts | Access the address book. There are read, write and create levels. Reviewer should review the app in line with the description. | Scrape address book and send to third party server. Modify contents of address book without user consent. | For Reviewer: Should compare description to access requested. If different, that should be flagged. |
| desktop-notification | Send a notification that appears in the system tray. The user can click on the notification, and a event is sent to the application. | Spamming the user, not providing controls to the user to limit notifications. | |
| device-storage: * | Access users media. Read, write, create access | Delete user media, read | For Reviewer: validate the requested access is what is being used. Should only have the least access that is required to do what the app wants to accomplish. Do not allow global deletes. |
| fmradio: | control the user. grantable to all apps. | Power usage? Privacy issues (low risk probably) | |
| geolocation | &nsbp; | logging and storage of geolocation data | |
| systemXHR | Cross-origin XHR without CORS. Allows an app to request data from the web (without cookies or auth credentials). | No request to private address ranges. | |
| tcp-socket | opening a client socket to any host (eg mail, caldav etc) or making a raw back to their own server (although this should be web-sockets) | Abuse case: Similar systemXHR - internal address ranges, port scanning etc. |