WebAPI/Security/WebTelephony

From MozillaWiki
Jump to: navigation, search

WebTelephony

Brief purpose of API: Make and receive phone calls

General Use Cases: None

Inherent threats:

  • Place calls to high cost numbers,
  • Route calls through high cost network,
  • Direct calls through MITM network (spying).
  • Possibly with audio API, record phone calls, record touch tone signals (account numbers?).
  • In addition, there is a high likelihood that this API will need to be controlled for legal reasons.

Threat severity: high to critical, confidential information disclosure and direct financial risk

References:

Type Use Cases Authorization Model Notes & Other Controls
Web Content click on a phone number in an email or browser to dial No direct access (access via web activities) When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger.
Installed Web Apps As Above No direct access (access via web activities) As above.
Privileged Web Apps As Above No direct access (access via web activities) As above.
Certified Web Apps
  • Handler for telephony web activities
  • Replacement dialer
  • Voice conference software (e.g. connect Voip with a mobile call)?
  • Mediate incoming calls (accept/reject/merge)
  • Query transceiver state
Implicit