Security/Reviews/Gaia/bluetooth

From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details

  • App: Bluetooth
  • Review Date: 5th March 2003
  • Review Lead: Paul Theriault

Overview

The bluetooth app is a small app which is only used to facilitate transfer of files via bluetooth. It does not have an icon on the homescreen, rather it is triggered by an app launching a web activity.

Architecture

Components

The bluetooth app consists of one HTML page which is designed to accept web activity share requests.

Relevant Source Code

The main source code is contained: http://mxr.mozilla.org/gaia/source/apps/bluetooth/js/transfer.js


Permissions

The bluetooth app has the following permissions:

"permissions": {
   "bluetooth":{},
   "device-storage:sdcard":{ "access": "readonly" },
   "settings":{ "access": "readwrite" }
 }

  • Bluetooth is need to send files via bluetooth.
  • device-storage is used to monitor remaining disk space
  • settings access is needed to monitor and change the "bluetooth.enabled" setting.

Web Activity Handlers

The bluetooth app accepts one web activity as described in its web app manifest:

"activities": {

   "share": {
     "filters": {
     	"number": 1
      },
     "disposition": "inline",
     "returnValue": true,
     "href": "/transfer.html"
   }   
 }

Web Activity Usage

Notable Event Handlers

Code Review Notes

1. XSS & HTML Injection attacks

Several instances of innerHTML used, but output is escaped safely.

2. Secure Communications

N/A, doesn't make network connections (apart from bluetooth obviously)

3. Secure data storage

N/A

4. Denial of Service

Web pages could launch the bluetooth app without user interaction - perhaps it should only be possible to launch the bluetooth app from the user chosen web activity.

5. Use of Privileged APIs

This app uses devicestorage:sdcard to load the files it is about to send. This was a temporary fix, and should probably be now changed. See the comment in the code regarding bug 811615.

6. Interfaces with other Apps/Content

As above, any content can launch the bluetooth transfer page via a web activity.

Security Risks & Mitigating Controls

  • User is tricked into sending a file

Any website could try to guess a file name on the sdcard and prompt the user to send it. There is no indication in the bluetooth app that you are about to send a file. However prior to sending the file, the user needs to go through a step of pairing a device, which mitigates this risk pretty effectively (it would be very hard to 'accidentally' pair with another device.

  • Website repeatadly fires up bluetooth app to consume power as a DoS

Web activities cant be fired from the background, so this wouldnt work after the user hid the browser.

Actions & Recommendations

Discussing remediation with bluetooth app developers at the moment: 1. The UI shown when you are about to send a file, doesn't actually tell you that you are about to send a file (it just shows a list of paired devices). The user may not have initiated this web activity (e.g new mozActivity({name:'share',data : {number : 1, filenames : ["screenshots/1980-01-06-00-18-06.png"]} starts the bluetooth app without a prompt)

- Show some title or prompt to tell the user what is about to happen

2. Bug 811615 is marked as fixed now - does this mean that we could change to receiving blobs with metadata instead of having the transfer app have sdcard permission?

3. Validate the file paths prior to using them