WebAPI/Security/SMS: Difference between revisions

← Older edit

WebAPI/Security/SMS (view source)

Revision as of 23:41, 1 October 2014

40 bytes removed , 1 October 2014

no edit summary

Chaasof

Confirmed users

1,340

edits

@@ Line 1: / Line 1: @@
-Name of API: Web SMS API
+== Web SMS API ==
-References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725<br>
-Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/58a66963732b09a0/9ae97f65a9e74c78
 Brief purpose of API: Send and receive SMS messages
@@ Line 14: / Line 10: @@
 Threat severity: critical per https://wiki.mozilla.org/Security_Severity_Ratings
-== Regular web content (unauthenticated) ==
+References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725<br>
-Use cases for unauthenticated code: App prompts user to send SMS
+Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/58a66963732b09a0/9ae97f65a9e74c78
-Authorization model for uninstalled web content: Explicit via web activities
-Authorization model for installed web content: Explicit via web activities
-Potential mitigations:
-== Privileged (approved by app store) ==
-Use cases for privileged code: Full-featured SMS app.  Read & send SMS.
-Authorization model: Explicit
-Potential mitigations: Set thresholds or warnings on premium numbers.  Only allow sending of SMS's to user-provided contacts.  Show OS confirmation of message before sending.
+{| border="1" class="wikitable"
+! Type
+! Use Cases
+! Authorization Model
+! Notes & Other Controls
+|-
+| Web Content || App prompts user to send SMS || No  direct access (access via web activities) ||
+|-
+| Installed Web Apps || App prompts user to send SMS || No  direct access (access via web activities) ||
+|-
+| Privileged Web Apps || App prompts user to send SMS * || No  direct access (access via web activities) ||
+|-
+| Certified Web Apps || SMS app || Implicit ||
+|}
-== Certified (system-critical apps) ==
+=== Notes ===
-Use cases for certified code:  SMS app
-Authorization model: Implicit
+Note that further integration for Web SMS access to privileged APIs is planned for the future. These may employ the following mitigating controls:
+*Set thresholds or warnings on premium numbers.
+*Only allow sending of SMS's to user-provided contacts.
+*Show OS confirmation of message before sending.
-Potential mitigations: None beyond certification
+__NOTOC__
-Note: Should trusted apps be able to register as handlers for SMS web activities/intents, or only certified apps?
+[[Category:Web APIs]]
+[[Category:Security]]