From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details

  • System Component: System Message Handler
  • Review Date: 15 Feb 2013
  • Review Lead: Stefan Arentz
  • Review Bug: bug 751025 [Security Review] System Message Handler


Random Notes To Be Edited

Random notes, restructure:

This is tied to WebActivities. Should we cover that or should we limit this review to just the message passing/handling.

Permission checking is done in dom/messages/SystemMessagePermissionsChecker.jsm

Who/what decides what messages a specific app is allowed to listen for?


  • Inject rogue messages into the system, like for example a fake 'sms-received' message.
  • Handle/steal system messages. How about malware that listens to sms-received messages and then forwards those to a remote server.
  • Send legit messages that have a bad payload to cause trouble
  • Exploit faulty permission checks so that normal apps can send or receive messages
  • Force a part of the software to emit messages

In Gecko, components can send system messages as follows:

105   nsCOMPtr<nsISystemMessagesInternal> systemMessenger =
106     do_GetService(";1");
108   if (!systemMessenger) {
109     NS_WARNING("Failed to get SystemMessenger service!");
110     return false;
111   }
113   systemMessenger->BroadcastMessage(aType, OBJECT_TO_JSVAL(obj));



The following API is exposed internally in Gecko to send messages:

interface nsISystemMessagesInternal : nsISupports {
  void sendMessage(in DOMString type, in jsval message, in nsIURI pageURI, in nsIURI manifestURI);   
  void broadcastMessage(in DOMString type, in jsval message);
  void registerPage(in DOMString type, in nsIURI pageURI, in nsIURI manifestURI);

TODO There is also the following, but I do not know why that it used:

interface nsISystemMessagesWrapper: nsISupports {
   * Wrap a message and gives back any kind of object.
   * @param message  The json blob to wrap.
  jsval wrapMessage(in jsval message, in nsIDOMWindow window);

The following DOM API is exposed to *message receivers*:

interface nsIDOMSystemMessageCallback : nsISupports {
    void handleMessage(in jsval message);

interface nsIDOMNavigatorSystemMessages : nsISupports {
    void mozSetMessageHandler(in DOMString type, in nsIDOMSystemMessageCallback callback);
    boolean mozHasPendingMessage(in DOMString type); 

The top level api, mozSetMessageHandler, is used by all system components and applications that need to receive messages.

The most common use case is that applications (certified, privileged) use this API to listen to `activity` messages, which are received when another app initiated a MozActivity. For example, in the Camera:

309     navigator.mozSetMessageHandler('activity', function(activity) {
310       var name =;
311       if (name === 'pick') {
312         Camera.initPick(activity);
313       }

It is also used by system components to listen to more low level components that are not available to just any application. For example:

320:      navigator.mozSetMessageHandler('bluetooth-requestconfirmation',
326:      navigator.mozSetMessageHandler('bluetooth-requestpincode',
332:      navigator.mozSetMessageHandler('bluetooth-requestpasskey',
338:      navigator.mozSetMessageHandler('bluetooth-cancel',
344:      navigator.mozSetMessageHandler('bluetooth-pairedstatuschanged',
350:      navigator.mozSetMessageHandler('bluetooth-hfp-status-changed',

Relevant Documentation

TODO I don't think there is more official documentation?

Relevant Source Code

  • gecko/dom/messages/interfaces/nsIDOMNavigatorSystemMessages.idl
  • gecko/dom/messages/interfaces/nsISystemMessagesInternal.idl
  • gecko/dom/messages/SystemMessageInternal.js
  • gecko/dom/messages/SystemMessageManager.js
  • gecko/dom/messages/SystemMessageManager.manifest
  • gecko/dom/messages/SystemMessagePermissionsChecker.jsm

Additional files that changed to support the System Messages:

  • gecko/b2g/chrome/content/shell.js
  • gecko/b2g/chrome/content/shell.js
  • gecko/config/
  • gecko/dom/base/Navigator.cpp
  • gecko/dom/base/Navigator.h
  • gecko/dom/base/nsDOMClassInfo.cpp
  • gecko/dom/base/nsDOMWindowUtils.cpp
  • gecko/dom/base/nsGlobalWindow.cpp
  • gecko/dom/base/nsGlobalWindow.h
  • gecko/dom/
  • gecko/toolkit/

Message Sources

b2g/chrome/content/shell.js notification AlertsHelper -
b2g/chrome/content/shell.js headset-button AlertsHelper broadcast
b2g/components/AlertsService.js notification AlertsService -
b2g/chrome/content/dbg-webapps-actors.js Webapps:Install:Return:OK WebappsActor._registerApp() broadcast
b2g/chrome/content/dbg-webapps-actors.js Webapps:AddApp filterHardwareKeys() broadcast
gecko/dom/system/gonk/RadioInterfaceLayer.js telephony-*, sms-*, ussd-received, icc-stkcommand Radio Interface broadcast

Message Receivers

The following applications use System Messages, other than activity.

gaia/apps/calendar alarm
gaia/apps/clock alarm
gaia/apps/communications alarm, bluetooth-dialer-command, headset-button, notification, telephony-new-call, ussd-received
gaia/apps/costcontrol sms-received, alarm, sms-sent, telephony-call-ended, notification
gaia/apps/email alarm
gaia/apps/settings bluetooth-requestconfirmation, bluetooth-requestpasskey, bluetooth-requestpincode, bluetooth-authorize, bluetooth-cancel, bluetooth-pairedstatuschanged, bluetooth-hfp-status-changed
gaia/apps/sms sms-received, notification
gaia/apps/system alarm, bluetooth-opp-{transfer-complete,update-progress,receiving-file-confirmation,transfer-start}, icc-stkcommand, bluetooth-hfp-status-changed

Code Review Notes

Actions & Recommendations