WebAPI/Security/pushNotificationsAPI
Push Notifications API
References:
- https://wiki.mozilla.org/WebAPI/PushAPI
- https://bugzilla.mozilla.org/show_bug.cgi?id=747907
- https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.webapi/doBebGwUTNE
- Security Discussion: https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.webapps/Sff8MqFSO4E
Brief purpose of API: Provide an mechanism for websites to push small notifications to subscribed applications on the client, even when they aren't currently running. Asynchronous notification channel for apps with store and forward capabilities.
General Use Cases: IM messaging apps. Website activity notifications (auctions, online price alerts, travel advisories and flight status, banking activity, etc).
Inherent threats:
- Spoofing notifications could lead user to disclosing sensitive information
- Spoofing messages could trick an app into disclosing sensitive information (i.e. submit info to URL..) or otherwise take action on behalf of the attacker.
- Spoofing of notifications to system-critical applications could result in a variety of attacks, from information disclosure to device compromise.
Threat severity: High, possibly Critical depending on usage
Regular web content (unauthenticated)
Use cases for unauthenticated code: Same
Authorization model for normal content: None?
Authorization model for installed content: Implicit
Potential mitigations: Airplane mode?
Privileged (approved by app store)
Use cases for privileged code: Same
Authorization model: Implicit
Potential mitigations: Same
Certified (system-critical apps)
Use cases for certified code: Do we use this API for any system-sensitive operations, like app updates, payments, etc?
Authorization model: Implicit
Potential mitigations: Same