Security/Reviews/Gaia/Music

From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Revision as of 17:11, 20 February 2013 by St3fan (talk | contribs) (Created page with "=== App Review Details === * App: Gallery * Review Date: 20 Feb 2013 * Review Lead: Stefan Arentz === Overview === Music the music player. ===Architecture=== ====Components=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

App Review Details

  • App: Gallery
  • Review Date: 20 Feb 2013
  • Review Lead: Stefan Arentz

Overview

Music the music player.

Architecture

Components

Relevant Source Code

Source code can be found at https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/music

Application code:

  • index.html - The UI for the application
  • open.html - The UI for the view that is shown for the 'open' Activity
  • js/music.js
  • js/open.js
  • js/Player.js
  • js/utils.js
  • js/metadata.js

Shared code:

  • shared/js/l10n.js
  • shared/js/mouse_event_shim.js
  • shared/js/mediadb.js
  • shared/js/blobview.js
  • shared/js/async_storage.js

See also these bugs:

  • bug 840659 [Security Review] Gaia Shared Code MediaDB

Permissions

The application has the following permissions:

  • "device-storage:music":{"access":"readwrite"},
  • "audio-channel-content":{},
  • "settings":{"access":"readonly"} - Because it needs to access the chosen locale, which is stored in the settings. (This is via shared/js/l10n.js, which accesses the language.current setting through navigator.mozSettings)
  • deprecated-hwvideo

Web Activity Handlers

The application makes the following activities available to other apps:

  • open - To let third party applications play audio files in a standard UI

Blobs are documented at https://developer.mozilla.org/en/docs/DOM/Blob

Web Activity Usage

The following activities are initiated:

  • share

Notable Event Handlers

Code Review Notes

1. XSS & HTML Injection attacks

2. Secure Communications

This app does not communicate with any external services.

3. (Secure) data storage

Two data storage APIs are used:

  • The DeviceStorage API is used to manage the raw music files on the SD Card
  • The IndexDB API is used to manage the metadata of the files (titles, filenames, thumbnails)

All the code to do this is contained in /shared/js/mediadb.js which will have its own review through bug 840659.

4. Denial of Service

5. Use of Privileged APIs

  • DeviceStorage - used to access the audio and video files
  • Settings - used by shared/js/l10n.js to keep track of locale changes

TODO what is the deprecated-hwvideo permission? Is that an API?

6. Interfaces with other Apps/Content

Security Risks & Mitigating Controls

Actions & Recommendations

The application unnecessarily has access to all system settings. This is an issue with the Settings API that should be improved in a future version of Firefox OS:

  • bug 841071 Settings are globally shared between applications
  • bug 841196 Applications should stop using settings permission to just get locale info

The application might not need the deprecated-hwvideo permission. I've filed a bug to investigate this.

  • bug 843144 Music might not need the deprecated-hwvideo permission
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/Gaia/Music&oldid=524390"