WebAPI/Security/NetworkInfo
Name of API: Network Information API Sec
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=677166
- https://wiki.mozilla.org/WebAPI/NetworkAPI
- http://groups.google.com/group/mozilla.dev.webapi/browse_thread/thread/464d2a5ca3ed0e05/68e2de5b987f28d9
Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption
General Use Cases:
- Read current bandwidth estimate or ask if connection is metered
- Listen for connection change events
Inherent threats: Privacy (de-anonymize users based on connection change events?)
Threat severity: Low
Regular web content (unauthenticated)
Use cases for unauthenticated code: Read current bandwidth estimate or ask if connection is metered
Authorization model for normal content: Implicit
Authorization model for installed content: Implicit
Potential mitigations: Maybe fuzz the exact time of the network change event in a similar manner to idle API.
Privileged (approved by app store)
Use cases for privileged code: As above
Authorization model: As above
Potential mitigations: As above
Certified (system-critical apps)
Use cases for certified code: As above
Authorization model: As above
Potential mitigations: As above