Security/Reviews/Gaia/homescreen

From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details

  • App: Homescreen
  • Review Date: 22/2/2012
  • Review Lead: Paul Theriault

Overview

The homescreen app is the main UI for the phone. It is shown as soon as the phone is unlocked and is primarily used to launch other apps. It also houses the everything.me component, which is a tool for finding and launching mobile websites and web apps.

Architecture

Components

The Homescreen App is implement as an certified packaged Web App and is installed to the phone as part of the Gaia repository. The source code for the keyboard can be found here: http://mxr.mozilla.org/gaia/source/apps/homescreen/

Everything.me is essentially a separate app which is included in the homescreen since they need to share data and be closely integrated from a UI perspective.

Relevant Source Code

Permissions

  • "webapps-manage":used to get the list of all installed apps, so that apps can be launched when their icon is tapped.
  • "systemXHR": Used to load application icons
  • "settings": used to observe when language changes (which can't be done with navigator.language) and also to set the keyboard language.
  • "device-storage:pictures": this is no longer used bug 843921 raised to remove this.
  • "open-remote-window":This allows the homescreen to open windows in seperate content processes (ie <iframe remote='true>)
  • "geolocation": Used by everything.me to provide more relevant content

Web Activity Handlers

Other apps/pages can send a bookmark activity to the homescreen to request a url be bookmarked as an icon on the homescreen.

The code for this handler is here: http://mxr.mozilla.org/gaia/source/apps/homescreen/js/save-bookmark.js The handler then calls BookmarkEditor.init(options), with options containing the data from the activity, which displays screen for the user to edit the bookmark before it is added. The user then chooses to save (or cancel) and the bookmarkurl is check to make sure it starts with http(s):

 // Only allow http(s): urls to be bookmarked.
 if (/^https?:/.test(this.bookmarkUrl.value) == false)
   return;

The name or icon parameters are not sanitized at all, so there is a spoofing risk here, however it appears the a user supplied icon is wrapped in a white circle border, so it is clear that its a bookmark and not an app.

  • I am currently seeing weird issues/crashing when supplying an icon via a data URI. Can't reproduce reliably though.

Web Activity Usage

  • E.me launches URLs using web activities.
  • Homsescreen launches wallpaper app to set wallpaper.

Notable Event Handlers

Code Review Notes

1. XSS & HTML Injection attacks

The homescreen and everything.me contain extensive usage of innerHTML which would be better replaced with DOM calls. (both for performance and security). Mainly though this is for static HTML. All access to .innerHTML was audited, including calls to Evme.$create which is a wrapper for innerHTML.

2. Secure Communications

Everything.me was found to be using http to connect to its API, but this was only on non-production devices. SSL has been confirmed on user releases- see bug 831488.

3. Secure data storage

Everything.me was found to log a lot of user activity using dump() statements. Further investigation proved this to be only enabled on development phones, however dump() was replaced with console.log() to prevent accidental disclosure of data from developers (see bug 842062)

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

Security Risks & Mitigating Controls

Actions & Recommendations