From MozillaWiki
< Security‎ | Reviews‎ | Gaia‎ | system
Jump to: navigation, search

Relevant Source Code

  • /index.html

This is the main system app that is loaded by gecko at startup. It loads many scripts which perform the various parts of the System app.

  • /camera/index.html

This pages provides the camera on the lockscreen. It is basically a cut down version of the the camera app.

  Issue: prompt for geolocation isn't shown until after phone is locked.
  • /emergency-call/index.html

This page provides the dialer on the lockscreen for making emergency calls.

  • accessibility.js: Small file, observes settings to enable inverting the screen for accessibility, and turning on the screen reader. No real security threats
  • activities.js: When an app starts a web activity, gecko compiles the list of matching applications that can handle the web activity, and sends it to the System app. The system app shows a List Menu (see list_menu.js below) to the user, so they can choose which app to handle the activity. Note that if there is only one suitable app that can handle this activity, it is automatically chosen without user interaction.

Note: reviewed as part of Web Activity security review.

  • airplane_mode.js: Airplane mode sets a number of settings to disable all radio communication (phone calls, data, bluetooth, GPS etc).
  • app_install_manager.js: Controls installation and updating of apps. (gecko does the underlying downloading and installation - this component provides the necessary user interface via notifications etc)
  • applications.js: Application module handles the information of apps on behalf of other modules.
  • attention_screen.js: Attention screen is used for things like incoming phone calls and alarms. Apps use it by calling, 'attention')

Works by registering itself as a mozbrowseropenwindow listener. Previously there was an issue that since apps can now, they can open in attention screen, grabbing focus. This was fixed via

  • authentication_dialog.js: Trusted UI for entering HTTP auth credentials.

Notes: Only shows up for events from the currently displayed app. Race conditions?

  • background_service.js: Purpose: launch app code at startup in the background (i.e. "services" for gaia)

Apps can nominate themselves as needing a background service by setting the "background_page" attribute in the Web App manifest. They also need to specify that they need the "background" gaia permission, or the page will not be set. THis permission is certified apps only.

Launches apps at startup if they have the background_page attribute set in their manifest.

  • battery_manager.js:Displays battery state, and also contains power save code. Nothing particularly security sensitive here.
  • bluetooth.js: Listens for system messages relating to bluetooth transfers. Handles message, and creates a bluetooth_transfer object to handle each transfer.
  • bluetooth_transfer.js: Handles an individual transfer, including displaying confirm prompt to the user

Note: Bluetooth file, and metadata (filename etc) could be malicious, but code uses CustomDialog ( which uses textContent and createTextNode to prevent injection. Also uses filename for notifications which is similarly protected.

  • bootstrap.js: Random startup tasks, including checking for updates. Not too much to review here. Sets the wallpaper for all home screens.

function setWallpaper(value) {

   document.getElementById('screen').style.backgroundImage =
     'url(' + value + ')';


Todo: Could value ever be something like javascript:code…. ? Would this even be an issue?

Todo: what happens if the manifestURL parameter is invalid for mozbrowser iframe? I guess it is just a plain mozbrowser frame, but still not same origin with the embedding page.

Only seems to be used by captive_portal.js though, so no real risks here I think.

  • call_forwarding.js: Just handles call forwarding system events. Not threats identified.
  • captive_portal.js: Code looks ok, but could do with some testing.
  Todo: test this on to see what attack vector from a rogue wireless network.
  • cards_view.js: Main app UI management. There have been lots of bugs in the past where background apps could interfere with the foreground app. All closed now, but will be an area to keep an eye with future changes.
  • context_menu.js: Simple menu helper class.
  • cost_control.js: Shows the summary of the cost control app in the notification tray, and provides a way to launch the cost control app.
  • crash_reporter.js: Reports crashes
    Todo: review from privacy perspective?
  • entry_sheet.js: Templating helper class.
  • ftu_launcher.js: Launched the First Time Usage (FTU) app
  • gridview.js: Developer helper class to show grid overlay
  • hardware_buttons.js: Converts hardware events to higher level logical events.
  • icc_cache.js: Sim Toolkit message handler?
  • init_logo_handler.js: loads animated logo at power on.
  • keyboard_manager.js: Manages the keyboard. Currently just embeds keyboard app, but in future will allow for changing of keyboard apps.
  • list_menu.js: menu helper function
  • lockscreen.js: Lock screen is shown when phone is turned on (unless it is disabled in settings).

Can another handle the camera or call buttons? If passcode is enabled, system app uses built in pages to load a secure camera. Emergency call is always handled in the system app (not the dialer). Attempting to dial a number other than an emergency number fails (although a call screen is shown briefly, maybe possible to tap quickly and cause issues)

  • logo_loader.js: Loads the logo.
  • modal_dialog.js: Handles mozbrowsershowmodalprompt events - ie whenever a prompt from (alert/prompt/confirm etc) needs to be shown.
    • Only the currently displayed app can show cause a modal dialog to be shown

Sanitizes the message supplied using the following code:

function escapeHTML(str) {

     var stringHTML = str;
     stringHTML = stringHTML.replace(/\</g, '<');
     stringHTML = stringHTML.replace(/(\r\n|\n|\r)/gm, '
'); stringHTML = stringHTML.replace(/\s\s/g, '  ');
     return stringHTML.replace(/"/g, '"').replace(/'/g, ''');

Message is not sanitized if the type of the event is selectone: var type = evt.detail.promptType || evt.detail.type;

   if (type !== 'selectone') {
     message = escapeHTML(message);

The code for creating the selectone dialog uses innerHTML dangerously var itemsHTML = [];

   for (var i = 0; i < data.options.length; i++) {
  • <button id="'); itemsHTML.push(data.options[i].id); itemsHTML.push('">'); itemsHTML.push(data.options[i].text); itemsHTML.push('</button>
  • ');

    However currently selectone is not implemented. Raised bug just in case this changes in the future:

    • mouse2touch.js: shim to support
    • notifications.js

    UI to display notifications. Uses DOM methods not innerHTML - hooray!

    • permission_manager.js:Handles prompting for permissions. Handles fullscreen requests as well.
    • popup_manager.js

    Opens a single window for an app. One window per app (one at a time).

    • quick_settings.js

    handles quick settings from notification tray. no issues found.

    • remote_debugger.js

    shows prompt when remote debugger connected and wants to start - remote debugger doesn't get connection until user accepts prompt.

    • screen_manager.js

    Turns screen off and on based on certain inputs (sensors, incoming calls, sleep timer etc)

    • screenshot.js

    Takes a screen shot when user press both home and power buttons.

    • sim_lock.js

    Locks the phone when the sim is locked.

    • simcard_dialog.js
    • sleep_menu.js

    Menu shown when

    • sound_manager.js
    • source_view.js
       Possibly should be removed.
    • statusbar.js

    top bar which shows notifications. all inputs come from system information, no real attack scenarios.

    • storage.js

    Handles mounting the device as a USB device, See

    • system_banner.js

    Shows a banner at startup. Uses .textContent so no risk of injection.

    • system_dialog.js

    Used to display system dialogs.

    • trusted_ui.js
      • review previously. overlays window over the home screen, with a transparent border around the outside. Make it slightly harder to spoof since other apps don't have access to wallpaper image. Not that strong a control, further control proposed for beyond version 1.
    • ttlview.js
    • updatable.js

    reviewed as part of updates review

    • update_manager.js

    reviewed as part of updates review

    • utility_tray.js

    tray that gets dragged down from top of screen.

    • value_selector

    Code to create widgets for date selectors or select wheels etc.

    • voicemail.js
    • wifi.js
    • window.js

    see bug 854849

    • wrapper.js