Security/Reviews/Gaia/SystemMessageHandler: Difference between revisions
| Line 21: | Line 21: | ||
* Handle/steal system messages. How about malware that listens to sms-received messages and then forwards those to a remote server. | * Handle/steal system messages. How about malware that listens to sms-received messages and then forwards those to a remote server. | ||
* Send legit messages that have a bad payload to cause trouble | * Send legit messages that have a bad payload to cause trouble | ||
* Exploit faulty permission checks so that normal apps can send or receive messages | |||
* Force a part of the software to emit messages | |||
=== Architecture === | === Architecture === | ||
Revision as of 18:35, 15 February 2013
App Review Details
- System Component: System Message Handler
- Review Date: 15 Feb 2013
- Review Lead: Stefan Arentz
- Review Bug: bug 751025 [Security Review] System Message Handler
Overview
Random notes, restructure:
This is tied to WebActivities. Should we cover that or should we limit this review to just the message passing/handling.
Threads:
- Inject rogue messages into the system, like for example a fake 'sms-received' message.
- Handle/steal system messages. How about malware that listens to sms-received messages and then forwards those to a remote server.
- Send legit messages that have a bad payload to cause trouble
- Exploit faulty permission checks so that normal apps can send or receive messages
- Force a part of the software to emit messages
Architecture
Components
The following DOM API is exposed to support the System Message API:
interface nsIDOMSystemMessageCallback : nsISupports {
void handleMessage(in jsval message);
};
interface nsIDOMNavigatorSystemMessages : nsISupports {
{
void mozSetMessageHandler(in DOMString type, in nsIDOMSystemMessageCallback callback);
boolean mozHasPendingMessage(in DOMString type);
};
The top level api, mozSetMessageHandler, is used by all system components and applications that need to receive messages.
The most common use case is that applications (certified, privileged) use this API to listen to `activity` messages, which are received when another app initiated a MozActivity. For example, in the Camera:
apps/camera/js/camera.js
309 navigator.mozSetMessageHandler('activity', function(activity) {
310 var name = activity.source.name;
311 if (name === 'pick') {
312 Camera.initPick(activity);
313 }
It is also used by system components to listen to more low level components that are not available to just any application. For example:
apps/settings/js/bluetooth.js
320: navigator.mozSetMessageHandler('bluetooth-requestconfirmation',
326: navigator.mozSetMessageHandler('bluetooth-requestpincode',
332: navigator.mozSetMessageHandler('bluetooth-requestpasskey',
338: navigator.mozSetMessageHandler('bluetooth-cancel',
344: navigator.mozSetMessageHandler('bluetooth-pairedstatuschanged',
350: navigator.mozSetMessageHandler('bluetooth-hfp-status-changed',
Relevant Documentation
- Initial Discussion https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.webapi/o8bkwx0EtmM
TODO I don't think there is more official documentation?
Relevant Source Code
- gecko/dom/messages/interfaces/nsIDOMNavigatorSystemMessages.idl
- gecko/dom/messages/interfaces/nsISystemMessagesInternal.idl
- gecko/dom/messages/SystemMessageInternal.js
- gecko/dom/messages/SystemMessageManager.js
- gecko/dom/messages/SystemMessageManager.manifest
- gecko/dom/messages/SystemMessagePermissionsChecker.jsm
Additional files that changed to support the System Messages:
- gecko/b2g/chrome/content/shell.js
- gecko/b2g/chrome/content/shell.js
- gecko/config/autoconf.mk.in
- gecko/dom/base/Navigator.cpp
- gecko/dom/base/Navigator.h
- gecko/dom/base/nsDOMClassInfo.cpp
- gecko/dom/base/nsDOMWindowUtils.cpp
- gecko/dom/base/nsGlobalWindow.cpp
- gecko/dom/base/nsGlobalWindow.h
- gecko/dom/Makefile.in
- gecko/toolkit/toolkit-makefiles.sh