WebAPI/Security/MobileConnection: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) (Created page with "Name of API: Mobile Connection API Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection Brief purpose of API: This exposes information about the current mobile voice ...") |
No edit summary |
||
| Line 20: | Line 20: | ||
== Regular web content (unauthenticated) == | == Regular web content (unauthenticated) == | ||
Use cases for unauthenticated code: None | *Use cases for unauthenticated code: None | ||
Authorization model for normal content: None | *Authorization model for normal content: None | ||
Potential mitigations: None | *Potential mitigations: None | ||
== Trusted (authenticated by publisher) == | == Trusted (authenticated by publisher) == | ||
Use cases for authenticated code: None | *Use cases for authenticated code: None | ||
Authorization model: None | *Authorization model: None | ||
Potential mitigations: None | *Potential mitigations: None | ||
== Certified (vouched for by trusted 3rd party) == | == Certified (vouched for by trusted 3rd party) == | ||
Use cases for certified code: Telephone status UI | *Use cases for certified code: Telephone status UI | ||
Authorization model: Implicit | *Authorization model: Implicit | ||
Potential mitigations: None | *Potential mitigations: None | ||
Notes: Some radio feature are also accessible via Settings API | Notes: Some radio feature are also accessible via Settings API | ||
Revision as of 21:54, 30 July 2012
Name of API: Mobile Connection API Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection
Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.
Use Cases: The primary use case for this is the status bar of the main phone UI.
Inherent threats: Access to sensitive information such as:
ICC-related (SIM/RUIM card) own phone number and other ICC I/O related features entering PIN, PIN2, PUK, PUK2 to unlock various states of the SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers deliver their SIM cards with the PIN lock enabled, for instance. changing the PIN (also serves as enabling/disabling the PIN lock.) device-related get IMEI, IMEISV depersonalize (remove network lock) baseband-related information and features
Threat severity: High
Regular web content (unauthenticated)
- Use cases for unauthenticated code: None
- Authorization model for normal content: None
- Potential mitigations: None
Trusted (authenticated by publisher)
- Use cases for authenticated code: None
- Authorization model: None
- Potential mitigations: None
Certified (vouched for by trusted 3rd party)
- Use cases for certified code: Telephone status UI
- Authorization model: Implicit
- Potential mitigations: None
Notes: Some radio feature are also accessible via Settings API