Security/Reviews/Gaia/InterAppCommunicationAPI: Difference between revisions

Review Details

• Topic: Inter-App Communication API
• Review Date: January, 2014
• Status: Ongoing/Incomplete
• Review Lead: Rob Fletcher <rfletcher@mozilla.com> (:omerta)
• Repo:
• Connections: Gene Lian <glian@mozilla.com>, "Fernando Jiménez Moreno" <ferjmoreno@gmail.com>
• Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=876397
• Wiki: https://wiki.mozilla.org/WebAPI/Inter_App_Communication_Alt_proposal

Overview

The Inter-App Communication API will allow apps to communicate in a publisher/subscriber model.

Apps will register for communication in their manifest file, defining specific restrictions and details relating to the communications desired. An application can setup to send communications and/or handle communications.

Currently, only certified apps are allowed to do connections, but there are plans to open them up in the future.

Source Code

Gaia

• shared/js/iac_handler.js - handles IAC messages
• shared/js/fxa_iac_client.js - Firefox Accounts IAC client

Gecko

• dom/apps/src/Webapps.js - cpmm("Webapps:Connect"...), cpmm("Webapps:GetConnections"...)
• dom/apps/src/Webapps.jsm - process manifest file for new ‘connections’
• dom/apps/src/InterAppComm.cpp
• dom/apps/src/InterAppCommService.js
  • parent process, does checking of installOrigin, manifestURLs, and minimumAcccessLevel, main file for API
• dom/apps/src/InterAppConnection.js - child process, InterAppConnection object
• dom/apps/src/InterAppMessagePort.js - child process, InterAppMessagePort object

WebIDL

• dom/webidl/InterAppConnection.webidl - MozInterAppConnection
• dom/webidl/InterAppConnectionRequest.webidl - MozInterAppConnectionRequest
• dom/webidl/MozInterAppMessageEvent.webidl - MozInterAppMessageEvent
• dom/webidl/InterAppMessagePort.webidl - MozInterAppMessagePort

IDL

• dom/interfaces/apps/nsIDOMApplicationRegistry.idl - registers connect() and getConnections()
• dom/interfaces/apps/nsIInterAppCommService.idl - nsIInterAppCommService

Security Features

manifest ‘rules’

minimumAccessLevel

Defines a ‘minimum’ application type level: web, privileged, or certified. Defaults to ‘web’.

installOrigins

A list of install origins from where subscriber apps should have been installed. Since certified apps has not a valid install origin, these constraint does not apply to them.

manifestURLs

Can be used to set specific subscribers by a list of manifestURLs.

Current Usage

connect()

• apps/bluetooth/js/transfer.js:216: app.connect('bluetoothTransfercomms').then(function(ports) {
• apps/communications/dialer/js/calls_handler.js:114: app.connect('dialercomms').then(function(ports) {
• apps/communications/ftu/js/tutorial.js:123: app.connect('ftucomms').then(function onConnAccepted(ports) {
• apps/homescreen/everything.me/js/search/control.js:12: app.connect('search-results').then(
• apps/search/js/search.js:37: app.connect('search-results').then(
• apps/system/js/rocketbar.js:249: app.connect('search').then(
• apps/system/test/marionette/fakemusic/js/comms.js:34: app.connect('mediacomms').then(function(ports) {
• shared/js/media/remote_controls.js:184: app.connect('mediacomms').then(function(ports) {

apps/search/manifest.webapp

 28     "search": {
 29       "handler_path": "index.html",
 30       "description": "Proxies search to copied search app. Should be moved to the search app manifest if we split the app up.",
 31       "rules": {}

 apps/system/js/rocketbar.js:249: app.connect('search')...
 Used by System app, in rocketbar.js, to insert '...the search app iframe into the dom'

apps/system/manifest.webapp

 83     "mediacomms": {
 84       "description": "Communication with media apps for now playing info",
 85       "rules": {}

 87     "search-results": {
 88       "description": "Communicate between search results and search app",
 89       "rules": {}

 91     "ftucomms": {
 92       "description": "Communicate between communications/ftu and System",
 93       "rules": {}

 95     "bluetoothTransfercomms": {
 96       "description": "Communication with bluetooth apps for sending files info",
 97       "rules": {}

 99     "dialercomms": {
100       "description": "Communication with dialer app for sleep message",
101       "rules": {}

103     "fxa-mgmt": {
104       "description": "Firefox Accounts management API",
105       "rules": {
106         "minimumAccessLevel": "certified"
107       }

Review Notes

Gaia

XSS & HTML Injection Attacks

User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. 960749 prevented us from being able to completely check for HTML injections. (See Future Work below)

Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.

Characters ',",>, \, & and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu.

Secure Communications

Not relevant.

Secure Data Storage

Downloads are stored on the SDcard, which is appropriate for user content.

Denial of Service

See 960739

Interfaces with other Apps/Content

gaia/apps/system/js/download/download_notification.js

Used to launch Settings->Download list

 183         var activity = new MozActivity({
 184           name: 'configure',
 185           data: {
 186             target: 'device',
 187             section: 'downloads'
 188           }
 189         });

gaia/gaia/shared/js/download/download_helper.js

Used to open file after download

 176     var activity = new MozActivity({
 177       name: 'open',
 178       data: {
 179         url: download.path,
 180         type: contentType,
 181         blob: blob
 182       }

Gecko

1. Content/Chrome Segregation

DownloadsAPI is implemented using WebIDL. There was a lot of discussion around what to expose in the case when a page does not have the permission present - see bug 957592 for details.

2. Process Segregation

Inter-process communication is performed through DownloadsIPC.jsm & DownloadsAPI.jsm. We are mainly interested in the message which the parent listens for:

• Downloads:GetList
• Downloads:ClearAllDone
• Downloads:Remove
• Downloads:Pause
• Downloads:Resume

Permissions are checked in the parent before processing any messages, using the standard approach:

  144   receiveMessage: function(aMessage) {
  145     if (!aMessage.target.assertPermission("downloads")) {
  146       debug("No 'downloads' permission!");
  147       return;
  148     }

One issue was identified in the way the message was processed however - see bug 966141 for details.

3. Data validation & Sanitization

The API accepts only minimal data from content, and as such the attack surface is very small, and no issues were found.

4. Denial of Service

960739 was identified as a potential DoS scenario.

Concerns

• http://mxr.mozilla.org/mozilla-central/source/b2g/chrome/content/shell.js#748
  • I think we can control ‘keyword’ and this looks like its chrome code
• I think a lot of this just needs to be put through manual testing.
• http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/InterAppCommService.js#349
  • does checking for ‘security’ things. It uses 2 fields each time. ex. aSubAppManifestURL and aPubAppManifestURL. Can i set one of those on my app and ‘bypass’ these tests
• So this uses postMessage, is there any opportunity for other apps just listening for 'message' will be able to intercept sensitivei comms?

manifest

• The installOrigins field inside manifest file limits communications origins. This needs to be tested
  • also, them seem to just be a domain name, are we not doing port, domain, protocol along with app id?