Contents
App Review Details
- App: Settings
- Review Date: November 2013
- Review Leads: Rob Fletcher (:omerta) & Stéphanie Ouillon (:arroway)
Overview
This application allows a user to adjust a myriad of settings on the phone, including topics such as Network & Connectivity, Personalization, Privacy and Security, Storage and Device settings.
Architecture
Components
Relevant Source Code
Application
HTML
- index.html - Main UI
- onpair.html - The UI for prompting the user to take a device pair request
- elements/*.html - The UI for each settings component
JS
Settings components:
- js/settings.js - The main code to load and display the settings
- js/utils.js - Different utilities for application; e.g. JSON loader, L10n helper, etc.
Network & Connectivity:
- js/airplane_mode.js - Manages airplane mode interaction within the settings app
- js/bluetooth.js - Bluetooth settings and information.
- js/onpair.js - Deals with pairing of devices based on authentication of confirmation, pass code, or pin code.
- js/connectivity.js - Displays the connectivity status in the main panel.
- js/hotspot.js - Hotspot/Tethering settings/information.
- js/wifi.js - Handle WiFi settings.
- js/call.js - Call settings and information.
- js/carrier.js - Carrier settings and information; e.g. read the mcc/mnc codes.
- js/icc.js - Handling of ICC commands. Relates to SDK for managing SIM card stuff.
- js/icc_menu.js - "Showing STK main menu"
Personalization:
- js/sound.js - Sound settings.
- js/date_time.js - Date and Time settings.
- js/wallpaper.js - Pick wallpaper.
Privacy & Security:
- js/security_privacy.js - This library displays the security status in the main pane.
- js/apps.js - Deals with permissions of apps and uninstalling of apps.
- js/do_not_track.js
- js/phone_lock.js - Setting phone lock
SIM Security
- js/simcard_dialog.js
- js/simcard_lock.js
- js/simcard_fdn.js
- js/simcard_fdn_list.js
Storage:
- js/storage.js - Application and media storage details.
- js/app_storage.js - Storage details on apps such as used, free and total amount of memory.
- js/media_storage.js - Turn on/off UMS
- js/about.js - About information relating to B2G commit number, about the hardware versions, etc.
Device:
- js/battery.js - Provides details/management of battery life.
- js/support.js - Support information.
- js/factory_reset.js - Appears to be fore resetting to factory settings; mozPower.factoryReset.
- js/hiddenapps.js - Defines an array of "hidden apps" which include keyboard, wallpaper, bluetooth, and pdfjs
MVVM:
- mvvm/models.js - Defines two objects (Observable and ObservableArray) to keep track of changes
- mvvm/views.js - Manipulates the DOM according to changes fired by mvvm/models.js
shared/js/async_storage.js shared/js/dump.js shared/js/l10n.js shared/js/l10n_date.js shared/js/lazy_loader.js shared/js/manifest_helper.js shared/js/mobile_operator.js shared/js/settings_listener.js shared/js/tz_select.js shared/resources/apn.json shared/resources/apn_tz.json shared/resources/keyboard_layouts.json shared/resources/languages.json shared/resources/tz.json
Permissions
Hosted
- "storage":{}
- There appear to be no calls to appcache or IndexedDB. This permissions may be extraneous. Maybe needed to store the settings ?
- "desktop-notification":{} - Used in airplane_mode.js to reset notification params
Privileged
- "device-storage:pictures":{ "access": "readonly" } - Used in the the Display panel (to view the wallpaper)
- "device-storage:music":{ "access": "readwrite" } - Used to set the ringtones and in the Sound panel (see sound.js)
- !! should be “readonly” but see bug 914404 (workaround to set a ringtone)
- "device-storage:videos":{ "access": "readonly" } - Used in media_storage (hidden in a constant list MEDIA_TYPE at the beginning of the file)
- "device-storage:sdcard":{ "access": "readonly" } - Used to access SD storage. Check if there is free space on SD card.
- "audio-channel-notification":{}
Certified
- "mobileconnection":{} - Used throughout the application to access SIM card
- "voicemail":{} - Used for voicemail settings
- "bluetooth":{} - Handle bluetooth settings.
- "device-storage:apps":{ "access": "readonly" } - Add, read, or modify files stored in the apps location on the device.
- "webapps-manage":{} - Obtain access to the navigator.mozApps.mgmt API to manage installed Open Web Apps.
- "permissions":{} - Allow an app to manage other permissions of other apps.
- "settings":{ "access": "readwrite" } - Configure or read device settings.
- "wifi-manage":{} - Enumerate available WiFi networks, get signal strength, connect to a network.
- "attention":{} - Allow content to open a window in front of all other content. Used by telephone and SMS.
- "time":{} - Set current time. Time zone information is controlled by the Settings API. Formerly called systemclock.
- "power":{} - Turn the screen on or off, control CPU, device power, and so on. Listen for and inspect resource lock events
- "idle":{} - Notify the app if the user is idle.
- "telephony":{} - Access all telephony-related APIs to make and receive phone calls.
Web Activity Handlers
The application makes the following activities available to other apps:
- configure
- Used by other applications to launch settings application
Web Activity Usage
The following activities are initiated:
- ‘dial’ - Used to open URLs of protocol 'tel:' and to call a FDN contact
- ‘view’ - Used to open URLs that begin without '#'
- ‘pick’ - Used to pick wallpaper, and to know if purchased media exist to be chosen as ringtone
Code Review Notes
1. XSS & HTML Injection attacks
- js/languages.js:21: option.innerHTML = lEmbedBegin + languages[lang] + lEmbedEnd;
- languages[] comes from '/shared/resources/languages.json' so they are presumably safe. If an attacker can change/add languages to languages.json then this would be a legit injection.
- js/simcard_manager.js:199: this.simCardContainer.innerHTML = simItemHTMLs.join();
- It appears 'index' is limited to the values defined in [1] and therefore isn't exploitable.
- [1] http://mxr.mozilla.org/gaia/source/apps/settings/js/simcard_manager_simcard_helper.js#30
2. Secure Communications
There are no instances of sensitive communications over HTTP. Nor are there any leaks via XHR requests.
- js/feedback.js: need to know where feedbackObj (from currentSettings) comes from. because one of its fields is later used to perform a XHR POST request
- OK the only field filled with user input is “email” and its verified.
3. Secure data storage
No issues relating to insecure data storage.