Security/Reviews/WebSMS

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

WebSMS
Target


Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • allow web platform to send and recieve SMS messages
    • for messaging apps
  • intended for use in B2G

Links


Main implementation bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674725 DOM API code is here: http://mxr.mozilla.org/mozilla-central/source/dom/sms/ B2G Meta Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=709564 B2g: Pretty complicated, but this page has a good overview of the B2G telephony implementation https://wiki.mozilla.org/B2G/Architecture . See the section called RIL:Telephony. Android: Code is here: http://mxr.mozilla.org/mozilla-central/source/mobile/android/base/GeckoSmsManager.java It is using IPC and JNI to go from the DOM API in C++ to the Java backend. SMS are stored in IndexedDB (in B2G) - all of sending and reading done from the web a Radio layer only handles the radio, only way to access SMS database is via WebAPI Web API


Web api contains functions for sending and getting messages from the message database. There are also events to listen for to cover sent, delivered and received events.

  • Sending: navigator.mozSms.send(num,msg) or navigator.mozSms.send(num[],msg)
  • Events:
    - smssent: happens on all window when a SMS is sent;
    - smsdelivered: happens on all window when a SMS is delivered to the recipient; 
    - smsreceived: happens on all window when a SMS is received.
  • Get message: navigator.mozSms.getMessage(id)
  • Get messages: navigator.mozSms.getMessage(SMSFilter,id)

What solutions/approaches were considered other than the proposed solution?

  • N/A, lots of different APIs

Why was this solution chosen?

  • did not exist prior to this

Any security threats already considered in the design and why?

  • security model = about:config options
    • Defaults are off, and blank respectively:
      • +pref("dom.sms.enabled", false);
      • +pref("dom.sms.whitelist", "");
  • always disabled on android, can be turned on -- but still won't work if the app (Fennec) doesn't have SMS permission on the phone, and it currently doesn't

Threat Brainstorming

  • All local files can send recieve and read SMS?
    • only on B2G, temporarily
  • Sms for 2-factor auth?
  • QUESTION - Does this allow webpage content to send an SMS message?
    • Current plan is that WebSMS would not be within mobile firefox
    • isn't that the point? I guess "apps" aren't necessarily the same as pages.
  • Should we prevent non-ssl connections from using this feature?
    • Could we enforce HSTS?
      • Not sure what validation is done prior to handing messages to radio layer - potential for malformed messages being passed down to radio stack
  • Does IndexedDB (used on B2G) have a similar SQLi-like attack path?
    • Should not be a problem. IndexedDB isn't string-based anywhere, so nothing should be injectable to cause things to happen outside of expected boundaries. I.e. we'll just store bobby tables name in the database.
  • Property "SecReview feature goal" (as page type) with input value "* allow web platform to send and recieve SMS messages
      • for messaging apps
    • intended for use in B2G

    Links


    Main implementation bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674725 DOM API code is here: http://mxr.mozilla.org/mozilla-central/source/dom/sms/ B2G Meta Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=709564 B2g: Pretty complicated, but this page has a good overview of the B2G telephony implementation https://wiki.mozilla.org/B2G/Architecture . See the section called RIL:Telephony. Android: Code is here: http://mxr.mozilla.org/mozilla-central/source/mobile/android/base/GeckoSmsManager.java It is using IPC and JNI to go from the DOM API in C++ to the Java backend. SMS are stored in IndexedDB (in B2G) - all of sending and reading done from the web a Radio layer only handles the radio, only way to access SMS database is via WebAPI Web API


    Web api contains functions for sending and getting messages from the message database. There are also events to listen for to cover sent, delivered and received events.

    • Sending: navigator.mozSms.send(num,msg) or navigator.mozSms.send(num[],msg)
    • Events:
        - smssent: happens on all window when a SMS is sent;
        - smsdelivered: happens on all window when a SMS is delivered to the recipient; 
        - smsreceived: happens on all window when a SMS is received.
    
    • Get message: navigator.mozSms.getMessage(id)
    • Get messages: navigator.mozSms.getMessage(SMSFilter,id)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "*security model = about:config options
      • Defaults are off, and blank respectively:
        • +pref("dom.sms.enabled", false);
        • +pref("dom.sms.whitelist", "");
    • always disabled on android, can be turned on -- but still won't work if the app (Fennec) doesn't have SMS permission on the phone, and it currently doesn't" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* All local files can send recieve and read SMS?
      • only on B2G, temporarily
    • Sms for 2-factor auth?
    • QUESTION - Does this allow webpage content to send an SMS message?
      • Current plan is that WebSMS would not be within mobile firefox
      • isn't that the point? I guess "apps" aren't necessarily the same as pages.
    • Should we prevent non-ssl connections from using this feature?
      • Could we enforce HSTS?
        • Not sure what validation is done prior to handing messages to radio layer - potential for malformed messages being passed down to radio stack
    • Does IndexedDB (used on B2G) have a similar SQLi-like attack path?
      • Should not be a problem. IndexedDB isn't string-based anywhere, so nothing should be injectable to cause things to happen outside of expected boundaries. I.e. we'll just store bobby tables name in the database." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
WhobugActionBy WhenCompleted date
ptheriault bug 741871 radio testing (test that our implementation conforms to spec) http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf before releasing B2G phone [NEW] new
ptheriault bug 741872 audit sqlite interface to ensure parameterized queries and other SQLi defenses (I guess this is just the Fennec version?). Before enabled on Android [NEW] new
ptheriault bug 741874 Look at Gaia code - ensure dialer and sms can't be opened in an iframe maybe? Comes back to permissions model of B2G - gaia sms app author is vingtetun on IRC before releasing B2G phone [NEW] new
cdiehl bug 741876 fuzzing PDU before releasing B2G phone [NEW] new
ptheriault develop a list of threats as inputs to permissions model [DONE] complete 2012-03-20
Full Query
ID Summary Priority Status
741871 [Security Review][Action Item]WebSMS - radio stack testing -- RESOLVED
741872 [Security Review][Action Item]WebSMS - sqlite queries -- RESOLVED
741874 [Security Review][Action Item]WebSMS - gaia code review -- RESOLVED
741876 [Security Review][Action Item]WebSMS - PDU fuzzing -- RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);

The given value "

WhobugActionBy WhenCompleted date


ptheriault bug 741871 radio testing (test that our implementation conforms to spec) http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf before releasing B2G phone [NEW] new


ptheriault bug 741872 audit sqlite interface to ensure parameterized queries and other SQLi defenses (I guess this is just the Fennec version?). Before enabled on Android [NEW] new


ptheriault bug 741874 Look at Gaia code - ensure dialer and sms can't be opened in an iframe maybe? Comes back to permissions model of B2G - gaia sms app author is vingtetun on IRC before releasing B2G phone [NEW] new


cdiehl bug 741876 fuzzing PDU before releasing B2G phone [NEW] new


ptheriault develop a list of threats as inputs to permissions model

[DONE] complete 2012-03-20


Full Query
ID Summary Priority Status
741871 [Security Review][Action Item]WebSMS - radio stack testing -- RESOLVED
741872 [Security Review][Action Item]WebSMS - sqlite queries -- RESOLVED
741874 [Security Review][Action Item]WebSMS - gaia code review -- RESOLVED
741876 [Security Review][Action Item]WebSMS - PDU fuzzing -- RESOLVED

4 Total; 0 Open (0%); 4 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.