Security/Firefox/Fennec/WebVibrator

Items to be reviewed

https://bugzilla.mozilla.org/show_bug.cgi?id=679966

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

• uses the vibrator in a mobile device
  • can vibrate in a pattern
    • format of messages is a list of numbers that correlate to the num of miliseconds that the device operates
    • list has a max length, but a page could send multiple lists
    • max length is 10s
• mobile only, if device does not have the function this does nothing, although the API still exists to help prevent fingerprinting
  • the vibrator can be turned on when the accelerometer is on, so there's a potential fingerprinting channel here
• separate API later for notifications (later)

What solutions/approaches were considered other than the proposed solution?

• wanted for mobile web

Why was this solution chosen?

• wanted hardware access to vibrator for mobile web
  • see this as a vector for mobile games

Any security threats already considered in the design and why?

• aware of fingerprinting attacks with the accelerometer
• aware of possible fingerprinting with devices that don't have a vibrator
• tab has to be visible/active

Threat Brainstorming

• permissions for use
  • tab has to be visible
  • doesnt require user initiation
• draining the battery
  • there are many other vectors to this

Conclusions / Action Items