WebAPI/Security/SMS
From MozillaWiki
Web SMS API
Brief purpose of API: Send and receive SMS messages
General Use Cases: None
Inherent threats:
- Sending an SMS costs user money, premium SMS services, SMS payments etc
- Receiving SMS has privacy implications, SMS also used for 2-factor authentication
Threat severity: critical per https://wiki.mozilla.org/Security_Severity_Ratings
References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725
Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/58a66963732b09a0/9ae97f65a9e74c78
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | App prompts user to send SMS | No direct access (access via web activities) | |
| Installed Web Apps | App prompts user to send SMS | No direct access (access via web activities) | |
| Privileged Web Apps | App prompts user to send SMS * | No direct access (access via web activities) | |
| Certified Web Apps | SMS app | Implicit |
Notes
Note that further integration for Web SMS access to privileged APIs is planned for the future. These may employ the following mitigating controls:
- Set thresholds or warnings on premium numbers.
- Only allow sending of SMS's to user-provided contacts.
- Show OS confirmation of message before sending.
