MozillaWiki

Security/Reviews/Gaia/system

< Security‎ | Reviews‎ | Gaia
Revision as of 05:34, 19 March 2013 by Ptheriault (talk | contribs) (→‎Components)

App Review Details

  • App: System App
  • Review Date: 7 March 2013
  • Review Lead: Paul Theriault

Overview

At the heart of Gaia is the System App which is the app which loads all other apps, and takes care manages all system level activities. When B2G starts, system app is loaded, which loads scripts providing the the interface for the phone, including the home screen, lock screen, status bar and various other components. The system app manages running applicaitons, and provides system level UI, such as notifications, the lockscreen, status bar, popups/dialogs amongst other things. Applications are loaded into iframes within the system (of type mozapp and mozbrowser, so that the system app can monitor events and manage them).

Once loaded, the simplified window hierarchy is as follows: <window>Gecko Chrome 

  |
  +--> <iframe> system app
          |
          +--> <iframe> homescreen app
          |
          +--> <iframe> keyboard
          |
          +--> <iframe> lockscreen
          |
          +--> ... more app iframes are created here as apps are loaded

Architecture

Inputs/Outputs

  • chromeEvent & customEvent interface
    • Todo: how does gecko validate the sender of customEvents ? Is it ever possible that a customEvent sent from another app might end up received by gecko? I guess not because of the window hierarchy but I am not sure of this.
  • system messages

One way messaging from gecko to apps. App can declare that they want to receive certain messages, and if they have the right permissions they will be sent these messages (handled by navigator.setMessageHandler(topic,…)

  • mozBrowser events


Components

The system is made up of many different parts, but the main ones are:

  • Lockscreen: shown when the phone is first turned on. Includes and camera and dialer for use when the phone is locked (since apps can't be launched when the phone is locked).
  • Attention screen: an overlay window in which apps with the 'attention' permission can show content (its the only way for a background app to show content). Used for thing like displaying the incoming call screen etc.
  • CardsView: This is the main UI handling component - apps are loaded into 'cards' which are shown and hidden as the user lauches and switches apps.
  • identitiy.js: persona integration for firefox OS
  • payment.js: provide UI and mechanism to integrate with the Payments API
  • Keyboard manager: loads the keyboard
  • Widgets and dialogs to handle all system UI events
  • Utility (notification) tray: shown notifications when the drags the top bar down
  • Top bar: shows important information like mobile connection status, API use indicators (geological etc)
  • Update manager: manages downloading an installing updates

Relevant Source Code

See Security/Reviews/Gaia/system/code

Permissions

Web Activity Handlers

Web Activity Usage

Notable Event Handlers

Code Review Notes

1. XSS & HTML Injection attacks

2. Secure Communications

3. Secure data storage

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

Security Risks & Mitigating Controls

  • Bluetooth file transfer contains malicious data (in contents or metadata)
    • Need further investigation, and testing of bluetooth_transfer.js
  • Wallpaper setting is a CSS url
    • if this could be controlled, this may be an injection point (not sure what attack this would grant though really)
  • Background App interferes with foreground app


Actions & Recommendations

background_service.js is now removed - should the 'background' permission be removed too?

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/Gaia/system&oldid=638342"