WebAPI/Security/MobileConnection

From MozillaWiki
Jump to: navigation, search

Mobile Connection API

Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.

Use Cases: The primary use case for this is the status bar of the main phone UI.

Inherent threats: Access to sensitive information such as:

ICC-related (SIM/RUIM card)
own phone number and other ICC I/O related features
entering PIN, PIN2, PUK, PUK2 to unlock various states of the  SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers  deliver their SIM cards with the PIN lock enabled, for instance.
changing the PIN (also serves as enabling/disabling the PIN lock.)
device-related
get IMEI, IMEISV
depersonalize (remove network lock)
baseband-related information and features

Threat severity: High

References:

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps Telephone status UI Implicit

Notes

Some radio feature are also accessible via Settings API