WebAPI/Security/pushNotificationsAPI

Push Notifications API

References:

• https://wiki.mozilla.org/WebAPI/PushAPI
• https://bugzilla.mozilla.org/show_bug.cgi?id=747907
• https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.webapi/doBebGwUTNE
• Security Discussion: https://groups.google.com/forum/?fromgroups#!topic/mozilla.dev.webapps/Sff8MqFSO4E

Brief purpose of API: Provide an mechanism for websites to push small notifications to subscribed applications on the client, even when they aren't currently running. Asynchronous notification channel for apps with store and forward capabilities.

General Use Cases: IM messaging apps. Website activity notifications (auctions, online price alerts, travel advisories and flight status, banking activity, etc).

Inherent threats:

• Spoofing notifications could lead user to disclosing sensitive information
• Spoofing messages could trick an app into disclosing sensitive information (i.e. submit info to URL..) or otherwise take action on behalf of the attacker.
• Spoofing of notifications to system-critical applications could result in a variety of attacks, from information disclosure to device compromise.

Threat severity: High, possibly Critical depending on usage

Regular web content (unauthenticated)

Use cases for unauthenticated code: Same

Authorization model for normal content: None?

Authorization model for installed content: Implicit

Potential mitigations: Airplane mode?

Privileged (approved by app store)

Use cases for privileged code: Same

Authorization model: Implicit

Potential mitigations: Same

Certified (system-critical apps)

Use cases for certified code: Do we use this API for any system-sensitive operations, like app updates, payments, etc?

Authorization model: Implicit

Potential mitigations: Same