From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details


Music is the music player application. It plays music stored on the SD card and also allows to share music via NFC and Bluetooth.

The app keeps a database containing references to audio files and meta data. It uses musicdb to access the files and has code to parse FLAC/ID3/Ogg/MP4 meta data like song title, artist, album, etc. It can also extract the album art from a file.



These components are used and details can be found in


Relevant Source Code

Source code can be found at

Application code:

  • index.html - The UI for the application
  • open.html - The UI for the view that is shown for the 'open' Activity
  • pick.html - The UI for the view that is shown for the 'pick' Activity
  • js/app.js - The code for the main application
  • js/db.js - Code for musicdb API to manage audio files and metadata
  • js/endpoint.js - Code for music service API
  • js/nfc_share.js - Code for sharing songs via NFC
  • js/queue.js - Code for Playback Queue
  • js/remote.js – Code for updating remote playback status and metadata (synchronize)
  • js/view.js - Code to share with all diferent views
  • js/shims/device-storage.js - Code for device storage
  • js/metadata/ - Code for metadata parser that supports different formats of metadata
  • js/services/ - Code for different services like database service, playlist service, etc.
  • components/
  • elements/
  • views/ - Code for different views like albums, artists, playlists, songs,..etc
  • sw.js - Service worker code

Shared code:

  • shared/js/media/remote_controls.js
  • shared/js/async_storage.js
  • shared/js/bluetooth_helper.js
  • shared/js/image_utils.js
  • shared/js/intl_helper.js
  • shared/js/intl/l20n-client.js
  • shared/js/intl/l20n-service.js
  • shared/js/lazy_loader.js
  • shared/js/mediadb.js
  • shared/js/moz_intl.js
  • shared/js/omadrm/fl.js
  • shared/js/text_normalizer.js


The application has the following permissions:

"audio-channel-content": {},
"bluetooth": {},
"device-storage:music":    { "access": "readwrite" },
"device-storage:pictures": { "access": "readwrite" },
"nfc-share": {},
"settings": { "access": "readonly" },
"themeable": {},
"moz-extremely-unstable-and-will-change-webcomponents": {}

Web Activity Handlers

Support two activities: open (audio) and pick (audio)

  • Open – Open an audio file
  • Pick – Pick a song and return its playback status like title, artist, album.

Web Activity Usage

The following activities are initiated:

  • share (endpoint.js)

Notable Event Handlers

No issues identified

Code Review Notes

1. XSS & HTML Injection attacks

No XSS or Injection attacks were found.

2. Secure Communications

This app does not communicate with any external services.

3. Secure data storage

The musicdb API is implemented in /js/db.js and used to manage music files and metadata on the SD Card

4. Denial of Service

It might be possible to confuse the meta-data parser by storing a malformed or constructed audio file on the device. This could lead to the library failing to render or audio files missing. None of which is serious enough to consider.

Since all file parsing is done in high level JavaScript, there is no way that the above attack could lead to a privilege escalation or code execution attack.

5. Use of Privileged APIs

  • DeviceStorage - used to access the audio and picture files
  • Settings - used to read locale settings

6. Interfaces with other Apps/Content

Only through Web Activities.

Security Risks & Mitigating Controls

Actions & Recommendations

Previous Review