WebAPI/Security/MobileConnection
From MozillaWiki
Mobile Connection API
Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.
Use Cases: The primary use case for this is the status bar of the main phone UI.
Inherent threats: Access to sensitive information such as:
ICC-related (SIM/RUIM card) own phone number and other ICC I/O related features entering PIN, PIN2, PUK, PUK2 to unlock various states of the SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers deliver their SIM cards with the PIN lock enabled, for instance. changing the PIN (also serves as enabling/disabling the PIN lock.) device-related get IMEI, IMEISV depersonalize (remove network lock) baseband-related information and features
Threat severity: High
References:
- https://wiki.mozilla.org/WebAPI/WebMobileConnection
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/WKMpHavP9-Y/discussion
Type | Use Cases | Authorization Model | Notes & Other Controls |
---|---|---|---|
Web Content | None | No access | |
Installed Web Apps | None | No access | |
Privileged Web Apps | None | No access | |
Certified Web Apps | Telephone status UI | Implicit |
Notes
Some radio feature are also accessible via Settings API