Web SMS API
Brief purpose of API: Send and receive SMS messages
General Use Cases: None
- Sending an SMS costs user money, premium SMS services, SMS payments etc
- Receiving SMS has privacy implications, SMS also used for 2-factor authentication
Threat severity: critical per https://wiki.mozilla.org/Security_Severity_Ratings
|Type||Use Cases||Authorization Model||Notes & Other Controls|
|Web Content||App prompts user to send SMS||No direct access (access via web activities)|
|Installed Web Apps||App prompts user to send SMS||No direct access (access via web activities)|
|Privileged Web Apps||App prompts user to send SMS *||No direct access (access via web activities)|
|Certified Web Apps||SMS app||Implicit|
Note that further integration for Web SMS access to privileged APIs is planned for the future. These may employ the following mitigating controls:
- Set thresholds or warnings on premium numbers.
- Only allow sending of SMS's to user-provided contacts.
- Show OS confirmation of message before sending.