Security/Reviews/Gaia/Dialer

WORK IN PROGRESS WORK IN PROGRESS

• App: Dialer
• Review Date: 25 Feb 2013
• Review Lead: Stefan Arentz
• Review Bug: bug 754741 [Security Review] B2G Gaia - Dialer
• Dependency Tree: https://bugzilla.mozilla.org/showdependencytree.cgi?id=754741&hide_resolved=1

Components

Relevant Source Code

Source code can be found at https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/dialer

Application code:

• dialer/index.html
• dialer/oncall.html
• dialer/ussd.html
• dialer/js/keypad.js
• dialer/js/dialer.js

Shared code:

• shared/js/mouse_event_shim.js
• shared/js/async_storage.js
• shared/js/l10n.js
• shared/js/l10n_date.js
• shared/js/mobile_operator.js
• shared/js/notification_helper.js
• shared/js/simple_phone_matcher.js
• shared/js/settings_listener.js
• contacts/js/confirm_dialog.js
• contacts/js/fb/fb_data.js
• contacts/js/fb/fb_contact_utils.js
• dialer/js/contacts.js
• dialer/js/recents.js
• dialer/js/telephony_helper.js
• dialer/js/ussd.js

Permissions

   "telephony":{},
   "voicemail":{},
   "contacts":{ "access": "readwrite" },
   "mobileconnection":{},
   "attention":{},
   "settings":{ "access": "readwrite" },
   "desktop-notification":{},
   "alarms": {},
   "systemXHR": {},
   "wifi-manage":{},
   "time": {},
   "audio-channel-telephony":{},
   "audio-channel-ringer":{},
   "browser":{}

Web Activity Handlers

Dial

The dial activity is used to start the process of making a call.

   "dial": {
     "filters": {
       "type": "webtelephony/number"
     },
     "href": "/dialer/index.html#keyboard-view",
     "disposition": "window"
   }

It is handled at https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/dialer/js/dialer.js#L19

The dial handler does not actually dial numbers. The only thing it does is ask the KeypadManager to enter the number. The user will always have to tap the dial button before a call is being made.

TODO Does the KeypadManager do any filtering / checking on the number? TODO What happens if we pass something bad for the number TODO Is it possible to make the keypad show number 123 while dialing a different number through some content or font rendering attack?

System Messages

 "messages": [
    { "alarm": "/facebook/fb_sync.html" },
    { "bluetooth-dialer-command": "/dialer/index.html#keyboard-view" },
    { "headset-button": "/dialer/index.html#keyboard-view" },
    { "notification": "/dialer/index.html#keyboard-view" },
    { "telephony-new-call": "/dialer/index.html#keyboard-view" },
    { "ussd-received": "/dialer/index.html#keyboard-view" }
 ]

Web Activity Usage

Notable Event Handlers

1. XSS & HTML Injection attacks

2. Secure Communications

3. (Secure) data storage

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

7. Oddities

The application unnecessarily has access to all system settings. This is an issue with the Settings API that should be improved in a future version of Firefox OS:

• bug 841071 Settings are globally shared between applications
• bug 841196 Applications should stop using settings permission to just get locale info