Security/Reviews/Gaia/system

• App: System App
• Review Date: 7 March 2013
• Review Lead: Paul Theriault

At the heart of Gaia is the System App which is the app which loads all other apps, and takes care manages all system level activities. When B2G starts, system app is loaded, which loads scripts providing the the interface for the phone, including the home screen, lock screen, status bar and various other components. The system app manages running applicaitons, and provides system level UI, such as notifications, the lockscreen, status bar, popups/dialogs amongst other things. Applications are loaded into iframes within the system (of type mozapp and mozbrowser, so that the system app can monitor events and manage them).

Once loaded, the simplified window hierarchy is as follows: <window>Gecko Chrome

  |
  +--> <iframe> system app
          |
          +--> <iframe> homescreen app 
          |
          +--> <iframe> keyboard
          |
          +--> <iframe> lockscreen
          |
          +--> ... more app iframes are created here as apps are loaded

Components

/index.html This is the main system app that is loaded by gecko at startup. It loads many scripts which perform the various parts of the System app. See source code section below for details.

/camera/index.html This pages provides the camera on the lockscreen. It is basically a cut down version of the the camera app.

/emergency-call/index.html This page provides the dialer on the lockscreen for making emergency calls.

Relevant Source Code

Permissions

Web Activity Handlers

Web Activity Usage

Notable Event Handlers

1. XSS & HTML Injection attacks

2. Secure Communications

3. Secure data storage

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content