Security/Reviews/Gaia/Music
Contents
App Review Details
- App: Music
- Review Date: 20 Nov 2015
- Latest Commit: https://github.com/mozilla-b2g/gaia/commit/9563c38e0cd3fbaaec2a40cd525baf7df5098f2f
- Review Lead: Yu Yang ( https://mozillians.org/en-US/u/yuyang753/ )
Overview
Music is the music player application. It plays music stored on the SD card and also allows to share music via NFC and Bluetooth.
The app keeps a database containing references to audio files and meta data. It uses musicdb to access the files and has code to parse FLAC/ID3/Ogg/MP4 meta data like song title, artist, album, etc. It can also extract the album art from a file.
Architecture
Components
These components are used and details can be found in https://gaia-components.github.io/
bridge/ dom-scheduler/ fast-list/ font-fit/ gaia-component/ gaia-dialog/ gaia-fast-list/ gaia-header/ gaia-icons/ gaia-sub-header/ gaia-text-input/ gaia-theme/ gaia-toolbar/ poplar/ serviceworkerware/ sww-raw-cache/
Relevant Source Code
Source code can be found at https://github.com/mozilla-b2g/gaia/tree/master/apps/music
Application code:
- index.html - The UI for the application
- open.html - The UI for the view that is shown for the 'open' Activity
- pick.html - The UI for the view that is shown for the 'pick' Activity
- js/app.js - The code for the main application
- js/db.js - Code for musicdb API to manage audio files and metadata
- js/endpoint.js - Code for music service API
- js/nfc_share.js - Code for sharing songs via NFC
- js/queue.js - Code for Playback Queue
- js/remote.js – Code for updating remote playback status and metadata (synchronize)
- js/view.js - Code to share with all diferent views
- js/shims/device-storage.js - Code for device storage
- js/metadata/ - Code for metadata parser that supports different formats of metadata
- js/services/ - Code for different services like database service, playlist service, etc.
- components/
- elements/
- views/ - Code for different views like albums, artists, playlists, songs,..etc
- sw.js - Service worker code
Shared code:
- shared/js/media/remote_controls.js
- shared/js/async_storage.js
- shared/js/bluetooth_helper.js
- shared/js/image_utils.js
- shared/js/intl_helper.js
- shared/js/intl/l20n-client.js
- shared/js/intl/l20n-service.js
- shared/js/lazy_loader.js
- shared/js/mediadb.js
- shared/js/moz_intl.js
- shared/js/omadrm/fl.js
- shared/js/text_normalizer.js
Permissions
The application has the following permissions:
"audio-channel-content": {},
"bluetooth": {},
"device-storage:music": { "access": "readwrite" },
"device-storage:pictures": { "access": "readwrite" },
"nfc-share": {},
"settings": { "access": "readonly" },
"themeable": {},
"moz-extremely-unstable-and-will-change-webcomponents": {}
Web Activity Handlers
Support two activities: open (audio) and pick (audio)
- Open – Open an audio file
- Pick – Pick a song and return its playback status like title, artist, album.
Web Activity Usage
The following activities are initiated:
- share (endpoint.js)
Notable Event Handlers
No issues identified
Code Review Notes
1. XSS & HTML Injection attacks
No XSS or Injection attacks were found.
2. Secure Communications
This app does not communicate with any external services.
3. Secure data storage
The musicdb API is implemented in /js/db.js and used to manage music files and metadata on the SD Card
4. Denial of Service
It might be possible to confuse the meta-data parser by storing a malformed or constructed audio file on the device. This could lead to the library failing to render or audio files missing. None of which is serious enough to consider.
Since all file parsing is done in high level JavaScript, there is no way that the above attack could lead to a privilege escalation or code execution attack.
5. Use of Privileged APIs
- DeviceStorage - used to access the audio and picture files
- Settings - used to read locale settings
6. Interfaces with other Apps/Content
Only through Web Activities.
