Security/Reviews/Gaia/homescreen
App Review Details
- App: Homescreen
- Review Date: 22/2/2012
- Review Lead: Paul Theriault
Overview
The homescreen app is the main UI for the phone. It is shown as soon as the phone is unlocked and is primarily used to launch other apps. It also houses the everything.me component, which is a tool for finding and launching mobile websites and web apps.
Architecture
Components
The Homescreen App is implement as an certified packaged Web App and is installed to the phone as part of the Gaia repository. The source code for the keyboard can be found here: http://mxr.mozilla.org/gaia/source/apps/homescreen/
Everything.me is essentially a separate app which is included in the homescreen since they need to share data and be closely integrated from a UI perspective.
Relevant Source Code
Permissions
"webapps-manage":used to get the list of all installed apps, so that apps can be launched when their icon is tapped. "systemXHR": Used to load application icons "settings": used to observe when language changes (which can't be done with navigator.language) and also to set the keyboard language. "device-storage:pictures": this is no longer used bug 843921 raised to remove this. "open-remote-window":This allows the homescreen to open windows in seperate content processes (ie <iframe remote='true>) "geolocation": Used by everything.me to provide more relevant content
Web Activity Handlers
Other apps/pages can send a bookmark activity to the homescreen to request a url be bookmarked as an icon on the homescreen.
The code for this handler is here: http://mxr.mozilla.org/gaia/source/apps/homescreen/js/save-bookmark.js The handler then calls BookmarkEditor.init(options), with options containing the data from the activity, which displays screen for the user to edit the bookmark before it is added. The user then chooses to save (or cancel) and the bookmarkurl is check to make sure it starts with http(s):
// Only allow http(s): urls to be bookmarked.
if (/^https?:/.test(this.bookmarkUrl.value) == false)
return;
The name or icon parameters are not sanitized at all, so there is a spoofing risk here.
- Issue:setting iconable to true, and supplying an icon, results in a app pinned with no icon, and its not possible to remove these from the homescreen.
(still investigating this)
Web Activity Usage
- E.me launches URLs using web activities.
- Homsescreen launches wallpaper app to set wallpaper.