Security/Reviews/Gaia/bluetooth

From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details

  • App: Bluetooth
  • Review Date: 5th March 2003
  • Review Lead: Paul Theriault

Overview

The bluetooth app is a small app which is only used to facilitate transfer of files via bluetooth. It does not have an icon on the homescreen, rather it is triggered by an app launching a web activity.

Architecture

Components

The bluetooth app consists of one HTML page which is designed to accept web activity share requests.

Relevant Source Code

The main source code is contained: http://mxr.mozilla.org/gaia/source/apps/bluetooth/js/transfer.js


Permissions

The bluetooth app has the following permissions: 

"permissions": {
   "bluetooth":{},
   "device-storage:sdcard":{ "access": "readonly" },
   "settings":{ "access": "readwrite" }
 }

  • Bluetooth is need to send files via bluetooth.
  • device-storage is used to monitor remaining disk space
  • settings access is needed to monitor and change the "bluetooth.enabled" setting.

Web Activity Handlers

The bluetooth app accepts one web activity as described in its web app manifest:

"activities": { 

   "share": {
     "filters": {
     	"number": 1
      },
     "disposition": "inline",
     "returnValue": true,
     "href": "/transfer.html"
   }   
 }

Web Activity Usage

Notable Event Handlers

Code Review Notes

1. XSS & HTML Injection attacks

Several instances of innerHTML used, but output is escaped safely.

2. Secure Communications

N/A, doesn't make network connections (apart from bluetooth obviously)

3. Secure data storage

N/A

4. Denial of Service

Web pages could launch the bluetooth app without user interaction - perhaps it should only be possible to launch the bluetooth app from the user chosen web activity.

5. Use of Privileged APIs

This app uses devicestorage:sdcard to load the files it is about to send. This was a temporary fix, and should probably be now changed. See the comment in the code regarding bug 811615.

6. Interfaces with other Apps/Content

As above, any content can launch the bluetooth transfer page via a web activity.

Security Risks & Mitigating Controls

  • User is tricked into sending a file

Any website could try to guess a file name on the sdcard and prompt the user to send it. There is no indication in the bluetooth app that you are about to send a file. However prior to sending the file, the user needs to go through a step of pairing a device, which mitigates this risk pretty effectively (it would be very hard to 'accidentally' pair with another device.

  • Website repeatadly fires up bluetooth app to consume power as a DoS

Web activities cant be fired from the background, so this wouldnt work after the user hid the browser.

Actions & Recommendations

Discussing remediation with bluetooth app developers at the moment: 1. The UI shown when you are about to send a file, doesn't actually tell you that you are about to send a file (it just shows a list of paired devices). The user may not have initiated this web activity (e.g new mozActivity({name:'share',data : {number : 1, filenames : ["screenshots/1980-01-06-00-18-06.png"]} starts the bluetooth app without a prompt) 

- Show some title or prompt to tell the user what is about to happen

2. Bug 811615 is marked as fixed now - does this mean that we could change to receiving blobs with metadata instead of having the transfer app have sdcard permission?

3. Validate the file paths prior to using them

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Gaia/bluetooth&oldid=536701"