Security/Reviews/Gaia/Dialer

WORK IN PROGRESS WORK IN PROGRESS

• App: Dialer
• Review Date: 25 Feb 2013
• Review Lead: Stefan Arentz
• Review Bug: bug 754741 [Security Review] B2G Gaia - Dialer
• Dependency Tree: https://bugzilla.mozilla.org/showdependencytree.cgi?id=754741&hide_resolved=1

Components

Relevant Source Code

Source code can be found at https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/dialer

Application code:

• dialer/index.html
• dialer/oncall.html
• dialer/ussd.html
• dialer/js/keypad.js
• dialer/js/dialer.js

Shared code:

• shared/js/mouse_event_shim.js
• shared/js/async_storage.js
• shared/js/l10n.js
• shared/js/l10n_date.js
• shared/js/mobile_operator.js
• shared/js/notification_helper.js
• shared/js/simple_phone_matcher.js
• shared/js/settings_listener.js
• contacts/js/confirm_dialog.js
• contacts/js/fb/fb_data.js
• contacts/js/fb/fb_contact_utils.js
• dialer/js/contacts.js
• dialer/js/recents.js
• dialer/js/telephony_helper.js
• dialer/js/ussd.js

Permissions

   "telephony":{},
   "voicemail":{},
   "contacts":{ "access": "readwrite" },
   "mobileconnection":{},
   "attention":{},
   "settings":{ "access": "readwrite" },
   "desktop-notification":{},
   "alarms": {},
   "systemXHR": {},
   "wifi-manage":{},
   "time": {},
   "audio-channel-telephony":{},
   "audio-channel-ringer":{},
   "browser":{}

Web Activity Handlers

Dial

The dial activity is used to start the process of making a call.

   "dial": {
     "filters": {
       "type": "webtelephony/number"
     },
     "href": "/dialer/index.html#keyboard-view",
     "disposition": "window"
   }

It is handled at https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/dialer/js/dialer.js#L19

The dial handler does not actually dial numbers. The only thing it does is ask the KeypadManager to enter the number. The user will always have to tap the dial button before a call is being made.

ISSUES: The dialer does not correctly validate input. I was able to do multiple malicious things:

• bug 845383 Dialer accepts super long phone number which breaks the phone until reboot
• bug 845361 Dialer does not correctly validate input to the dial activity handler
• bug 845045 Dialer can be tricked into displaying one number but dialing another

ACTION: We need better defensive coding around input taken from activities.

System Messages

Since the Dialer is part of the communications app, it accepts a number of system messages:

 "messages": [
    { "alarm": "/facebook/fb_sync.html" },
    { "bluetooth-dialer-command": "/dialer/index.html#keyboard-view" },
    { "headset-button": "/dialer/index.html#keyboard-view" },
    { "notification": "/dialer/index.html#keyboard-view" },
    { "telephony-new-call": "/dialer/index.html#keyboard-view" },
    { "ussd-received": "/dialer/index.html#keyboard-view" }
 ]

The dialer installs a handler for the following:

• notification
• telephony-new-call
• bluetooth-dialer-command
• headset-button
• ussd-received

notification

The notification message is handled by handleNotification() in https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/dialer/js/dialer.js#L52

This message is fired when the user clicks on a missed call notification. The only thing the dialer does is launch itself, to firce itself to the foreground, and open the recents view. No information is taken from the notification or passed to the app.

telephony-new-call

The telephony-new-call message is handled by newCall() in https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/dialer/js/dialer.js#L118

This message is fired by ... (TODO Fired by what?) when an incoming call happens. The dialer calls openCallScreen() which loads the oncall.html page in a new window. It uses navigator.mozTelephony to keep track of the call status.

The real work of handling a call is done in https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/dialer/js/oncall.js

Notifications

The app handles notifications at https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/dialer/js/dialer.js#L52

The only thing it does is bring up the dialer in the #recents-view tab.

Post Messages

TODO Not sure what the official name for this is. I am referring to window.postMessage().

TODO The app does not check the origin of the post messages. Is that exploitable? Can another app send a message? Can content loaded from this app send a message? Like that Facebook thing?

Web Activity Usage

Notable Event Handlers

1. XSS & HTML Injection attacks

2. Secure Communications

3. (Secure) data storage

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

7. Oddities

The application unnecessarily has access to all system settings. This is an issue with the Settings API that should be improved in a future version of Firefox OS:

• bug 841071 Settings are globally shared between applications
• bug 841196 Applications should stop using settings permission to just get locale info