WebAPI/Security/SMS

From MozillaWiki
Jump to: navigation, search

Web SMS API

Brief purpose of API: Send and receive SMS messages

General Use Cases: None

Inherent threats:

  • Sending an SMS costs user money, premium SMS services, SMS payments etc
  • Receiving SMS has privacy implications, SMS also used for 2-factor authentication

Threat severity: critical per https://wiki.mozilla.org/Security_Severity_Ratings

References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725
Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/58a66963732b09a0/9ae97f65a9e74c78

Type Use Cases Authorization Model Notes & Other Controls
Web Content App prompts user to send SMS No direct access (access via web activities)
Installed Web Apps App prompts user to send SMS No direct access (access via web activities)
Privileged Web Apps App prompts user to send SMS * No direct access (access via web activities)
Certified Web Apps SMS app Implicit

Notes

Note that further integration for Web SMS access to privileged APIs is planned for the future. These may employ the following mitigating controls:

  • Set thresholds or warnings on premium numbers.
  • Only allow sending of SMS's to user-provided contacts.
  • Show OS confirmation of message before sending.