Security/Reviews/B2GWebActivities

   

     Full Query    

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

• Wiki: https://wiki.mozilla.org/WebAPI/WebActivities
• Threads:https://groups.google.com/d/topic/mozilla.dev.webapi/pxt4JDI_pb0/discussion
  • also https://groups.google.com/group/mozilla.dev.webapi/browse_thread/thread/a3c6e4c31d04b663/ for background" contains strip markers and therefore it cannot be parsed sufficiently.

• Property "SecReview feature goal" (as page type) with input value ";Summary:
  • the caller call new Activity(activityOptions);
    • if there is a default app to handle that activity:
      • run the default app
    • else if there is only one app able to handle that activity:
      • run the app
    • else:
      • show a UI with application names and icons so the user can select the one that should be used;
    • the app handling the activity is called and does what it has to do.
  • The security threats depend on what the activity is.
  • Data Passing

  Communication is based on DomRequest Caller waits for the onSuccess event, and then reads result Handler uses postResult to send the data Data is passed using a structured clone - allows more than JSON (e.g. date, bytearray etc) Two ways to handle intents - inline (e.g. iframe on top of current content, but decided by UA) - window (DomWindow)

  The idea is that any pages or apps could register to be a handler. It is unlikely that the b2g browser will support pages being handlers." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
• Property "SecReview alt solutions" (as page type) with input value "Why we are not using web intents, and instead using web activities:
  • Intents are a subset of Android intents
    • Web Activities" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "*Construct a regex that is slow to execute

  ** Regex throws if you try to do that
  

  • Steal sensitive data by handling a sensitive activity
    • If multiple apps are registered, the user chooses. (possibly a spoofing risk here?)
      • Spoofing risk mitigations: show app name and icon
    • introduce filters/checks for privileged activities
    • require user interaction for launching an activity (similar to popup blocking)
    • When a webpage registers to handle an activity we should put up a prompt.
    • When a activity is started, we should *always* display the list of handlers and let the user choose. Unless either the user has chosen a default handler, or if there is only one handler and that handler is trusted certified
  • DoS other apps by returning spurious data
  • App fires an activity without the user expecting
  • Apps can use this to get themselves launched - how will the user know they have changed apps?
    • Always show the choosing UI unless the user has chosen a default" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.