MozillaWiki

Security/Reviews/Gaia/sms

< Security‎ | Reviews‎ | Gaia
Revision as of 05:48, 6 September 2013 by Ptheriault (talk | contribs) (→‎1. XSS & HTML Injection attacks)

App Review Details

Overview

SMS app provides the ability to send and receive SMS/MMS messages. SMS was reviewed previously in jun 2013. This review has been completed primarily to include the addition of MMS functionality. The prior review can be found here

Architecture

Components

SMS app is structed as a single HTML page. This page displays the list of SMS messages, UI for composing sms, viewing threads, deleting messages etc.

A message is composed of a phone number and optional body, contact and threadId. There is also web activity handlers so that other apps can ask the SMS app to send a message.

Inputs to the SMS app: SMS events from system, web activity requests, data from contacts, user input to write the SMS.

At startup, 4 components are initialized:

  • ActivityHandler: application's global Activity handler to delegate to specific handler based on the Activity name; action when receiving a sms/mms.
  • ThreadUI: UI actions (listeners, view initialization, message templating...)
  • MessageManager: message actions (send, receive...)
  • Settings: set the default mms message size limitation


Relevant Source Code

UI:

  • action_menu.js
  • attachment_menu.js
  • compose.js - handle UI specifics of message composition
  • dialog.js - generic confirm screen
  • fixed_header.js
  • thread_list_ui.js - track current number of rendered threads
  • thread_ui.js - manage threads
  • waiting_screen.js

Actions:

  • activity_handler.js - main activity handler
  • activity_picker.js - to perform actions such as calling/adding/editing a contact, sending a sms/mms/email
  • attachments.js - create an attachment object (media source and text)
  • contacts.js - find/filter contacts
  • blacklist.js - get the blacklisted numbers
  • link_action_helper.js - link url/email/phone data in a message
  • message_manager.js - send/received messages
  • notify.js - notification on incoming message
  • recipients.js - manage recipients list
  • smil.js - handle SMIL document (layout of MMS message)
  • startup.js

Settings:

  • settings - default MMS size limitation if no operator specification

Util:

  • link_helper.js - replace input strings by anchor links for url, phone, email
  • utils.js - time, contact details, font size, carrier tag, etc.
  • wbmp.js - decode the Wireless Bitmap image format (.wbmp is Wireless Application Protocol Bitmap Format)


Shared code:

  • shared/js/l10n.js
  • shared/js/lazy_loader.js

The *_mock.js files are not reviewed since they are test files.


Permissions

The sms app requires the following permissions (unchanged from the previous review): 

 "permissions": {
   "sms":{},
   "storage":{},
   "contacts":{ "access": "readonly" },
   "settings":{ "access": "readonly" },
   "audio-channel-notification":{},
   "desktop-notification":{}
 }

Web Activity Handlers

The SMS app handles two Activities, defined in activity_handler.js: 

 "activities": {
   "new": {
     "filters": {
       "type": "websms/sms",
       "number": {
         "pattern":"[\\w\\s+#*().-]{0,50}"
       }
      },
     "disposition": "window"
   },
   "share": {
     "filters": {
       "type": ["image/*", "audio/*", "video/*"],
       "number": 1
      },
     "disposition": "window",
     "returnValue": true
   }
 }
  • new - to create a new message and pre-populate message details (phone number, body, contact).
  • share - to allow to send a media in attachment via a SMS/MMS, launching the sms app from another app.

Web Activity Usage

  • blacklist.js gets the blacklist file by an XHR request to 'js/backlist.json'.
  • ActivityPicker can make calls to several activities with web usage: new (mail), view (url)
  • A pick Activity (with type ['image/*', 'audio/*', 'video/*']) is used to allow the user to create an attachment.
  • A pick Activity (with type webontacts/contacts) is used to retrieve a Contact from the adress book.

Notable Event Handlers

The 'hashchange' event handler is used in threads.js and activity_handler.js.

Code Review Notes

1. XSS & HTML Injection attacks

2. Secure Communications

No comunication with any external services.

3. Secure data storage

Sms data is stored in indexeddb, which is stored inside the profile, which is to be protected via file permissions.

4. Denial of Service

No issues.

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

No issues.

Actions & Recommendations

  • bug 879136
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/Gaia/sms&oldid=703735"