Security/Reviews/Gaia/costcontrol

App Review Details

• App: Usage (gaia/apps/costcontrol)
• Review Date: Sept 25, 2013
• Review Lead: Rob Fletcher (:omerta)

Overview

Usage application to see credit and data usage statistics.

Presents the user with a graph of either Mobile or Data usage or both. Also, allows the user to set notifications if usage exceeds a certain amount of usage; the user can also reset the usage amount being tracked.

Architecture

A certified app to be preinstalled on the phone.

Components

Relevant Source Code

Application Code

* debug.html - static file used for debug when DEBUGGING is true
* fte.html - first time experience page; where the user lands first time using the app
* handle_gaps.html - Handle Gaps
* index.html - main app page; contains comments later pulled into HTML tags
* message_handler.html - handle system messages
* settings.html - view page for usage settings
* widget.html - According #gaia, it is displayed in the notification tray of the system app

* js/CostControl.js - CostControl is the singleton in charge of provide data to the views by using asynchronous requests.
* js/app.js - The application is in charge of display detailed information about the usage.
* js/common.js - Common functions used throughout costcontrol
* js/mindgap.js - This module is in charge of keep the historical of SIM changes in order to rebuild the accurate usage of each SIM.
* js/view_manager.js - The ViewManager is in charge of simply manage the different views of the applications.
* js/widget.js - The widget is in charge of show balance, telephony data and data usage statistics depending on the SIM inserted.
* js/views/balance.js - The balance tab is in charge of show balance details and allows the use to manually update or top up via USSD or code.
* js/views/datausage.js - The data usage tab is in charge of usage charts of mobile and wi-fi networks.
* js/views/telephony.js - The telephony tab is in charge of show telephony and billing cycle information.

Shared Code

• shared/js/async_storage.js
• shared/js/l10n.js
• shared/js/l10n_date.js
• shared/js/lazy_loader.js
• shared/js/notification_helper.js
• shared/js/settings_listener.js

Permissions

• Certified
  • "sms":{} - sms-received, sms-sent system message.
  • "mobileconnection":{} - access to SIM card, check service status
  • "settings":{ "access": "readonly" }
    • There are no calls to mozSettings(). This permission appears to be extraneous.
      • mozSettings is used in shared code:l10n.js, settings_listener.js
  • "networkstats-manage":{} - Obtain statistics of data usage
  • "telephony": {}, - telephony-call-ended system message.
• Privileged
  • None
• Hosted
  • "desktop-notification":{} - Notify user, with desktop notification, they've exceeded usage
  • "alarms": {}, - alarm system message
  • "storage": {} - use storage without size limitations

Web Activity Handlers

The application makes the following activities available to other apps:

• "costcontrol/balance" - simply change hash to #balance-tab
• "costcontrol/telephony" - simply change hash to #telephony-tab
• "costcontrol/data_usage"- simply change hash to #datausage-tab

Web Activity Usage

The following activities are initiated:

• dial - Used to dial webtelephony/number when using "Top Up and Pay". When user wants to add credit, taps "Top Up and Pay", the dial activity is initiated with the number associated with adding credit.
• costcontrol/balance
• costcontrol/telephony
• costcontrol/data_usage

Notable Event Handlers

Code Review Notes

1. XSS & HTML Injection attacks

• No vulnerable code has been found. The application only builds HTML from static sources already defined. No user input is used to generate HTML elements or attributes.

Suspicious but OK

    ~/work/code/gaia/apps/costcontrol/js/view_manager.js:111 - panel.innerHTML = panel.childNodes[i].nodeValue;
        - To increase performance of the first draw, developers define static HTML inside
          comment nodes and then later grab that HTML and input to innerHTML.

    ~/work/code/gaia/apps/costcontrol/js/settings/settings.js:131 - src.innerHTML = xhr.responseText;
        - XHR is fetching /debug.html which has no variable data

    ~/work/code/B2G/gaia/apps/costcontrol/js/view_manager.js:138 - var script = document.createElement('script');
        - finds all defined script tags and redfines them, then appends to page
        - <script type="text/javascript" defer="" src="js/fte.js"></script> is redefined as 
          <script src="js/fte.js" id="js/fte.js" type="application/javascript"></script>
        - After speaking with a developer, they must redefine script tags because simply uncommenting 
          them and shoving them into innerHTML doesn't work. So they have to redefine the script tags and append them.

Notes

• After speaking with developer regarding suspected but ok issues, specifically the dynamically creating <script> tags in view_manager.js, I've learned that in some instances developers depend on innerHTML quirks for "sanitization" purposes.

2. Secure Communications

• This app does not communicate with any external services.

3. Secure data storage

• This application uses localStorage very minimally to store strings that are used later, presumably, in URLs. The app only uses localStorage["sync"].

4. Denial of Service

• There appear to be no avenues for DoS attacks.

5. Use of Privileged APIs

• "sms":{} | sms-sent, sms-received
  • Send SMS to request balance.
  • TopUp SMS to request credit.
  • Check format of SMS to check for balance or topup sms request.
• "mobileconnection":{}
  • Access to SIM card, check service status
• "settings":{ "access": "readonly" }
  • mozSettings is used in shared code:l10n.js, settings_listener.js
• "networkstats-manage":{}
  • Obtain statistics of data usage
• "telephony": {}
  • telephony-call-ended system message.

6. Interfaces with other Apps/Content

• This app is self contained and does not attempt to receive/send content from other apps.

Security Risks & Mitigating Controls

Actions & Recommendations