Security/Reviews/Gaia/settings

< Security‎ | Reviews‎ | Gaia

Contents

App Review Details

  • App: Settings
  • Review Date: November 2013
  • Review Leads: Rob Fletcher (:omerta) & Stéphanie Ouillon (:arroway)

Overview

This application allows a user to adjust a myriad of settings on the phone, including topics such as Network & Connectivity, Personalization, Privacy and Security, Storage and Device settings.

Architecture

Components

Relevant Source Code

Application

HTML

  • index.html - Main UI
  • onpair.html - The UI for prompting the user to take a device pair request
  • elements/*.html - The UI for each settings component

JS

Settings components:

  • js/settings.js - The main code to load and display the settings
  • js/utils.js - Different utilities for application; e.g. JSON loader, L10n helper, etc.

Network & Connectivity:

  • js/airplane_mode.js - Manages airplane mode interaction within the settings app
  • js/bluetooth.js - Bluetooth settings and information.
  • js/onpair.js - Deals with pairing of devices based on authentication of confirmation, pass code, or pin code.
  • js/connectivity.js - Displays the connectivity status in the main panel.
  • js/hotspot.js - Hotspot/Tethering settings/information.
  • js/wifi.js - Handle WiFi settings.
  • js/call.js - Call settings and information.
  • js/carrier.js - Carrier settings and information; e.g. read the mcc/mnc codes.
  • js/icc.js - Handling of ICC commands. Relates to SDK for managing SIM card stuff.
  • js/icc_menu.js - "Showing STK main menu"

Personalization:

  • js/sound.js - Sound settings.
  • js/date_time.js - Date and Time settings.
  • js/wallpaper.js - Pick wallpaper.

Privacy & Security:

  • js/security_privacy.js - This library displays the security status in the main pane.
  • js/apps.js - Deals with permissions of apps and uninstalling of apps.
  • js/do_not_track.js
  • js/phone_lock.js - Setting phone lock

SIM Security

  • js/simcard_dialog.js
  • js/simcard_lock.js
  • js/simcard_fdn.js
  • js/simcard_fdn_list.js

Storage:

  • js/storage.js - Application and media storage details.
  • js/app_storage.js - Storage details on apps such as used, free and total amount of memory.
  • js/media_storage.js - Turn on/off UMS
  • js/about.js - About information relating to B2G commit number, about the hardware versions, etc.

Device:

  • js/battery.js - Provides details/management of battery life.
  • js/support.js - Support information.
  • js/factory_reset.js - Appears to be fore resetting to factory settings; mozPower.factoryReset.
  • js/hiddenapps.js - Defines an array of "hidden apps" which include keyboard, wallpaper, bluetooth, and pdfjs

MVVM:

  • mvvm/models.js - Defines two objects (Observable and ObservableArray) to keep track of changes
  • mvvm/views.js - Manipulates the DOM according to changes fired by mvvm/models.js
Shared
shared/js/async_storage.js
shared/js/dump.js
shared/js/l10n.js
shared/js/l10n_date.js
shared/js/lazy_loader.js
shared/js/manifest_helper.js
shared/js/mobile_operator.js
shared/js/settings_listener.js
shared/js/tz_select.js
shared/resources/apn.json
shared/resources/apn_tz.json
shared/resources/keyboard_layouts.json
shared/resources/languages.json
shared/resources/tz.json

Permissions

Hosted
  • "storage":{}
    • There appear to be no calls to appcache or IndexedDB. This permissions may be extraneous. Maybe needed to store the settings ?
  • "desktop-notification":{} - Used in airplane_mode.js to reset notification params
Privileged
  • "device-storage:pictures":{ "access": "readonly" } - Used in the the Display panel (to view the wallpaper)
  • "device-storage:music":{ "access": "readwrite" } - Used to set the ringtones and in the Sound panel (see sound.js)
    •  !! should be “readonly” but see bug 914404 (workaround to set a ringtone)
  • "device-storage:videos":{ "access": "readonly" } - Used in media_storage (hidden in a constant list MEDIA_TYPE at the beginning of the file)
  • "device-storage:sdcard":{ "access": "readonly" } - Used to access SD storage. Check if there is free space on SD card.
  • "audio-channel-notification":{}
Certified
  • "mobileconnection":{} - Used throughout the application to access SIM card
  • "voicemail":{} - Used for voicemail settings
  • "bluetooth":{} - Handle bluetooth settings.
  • "device-storage:apps":{ "access": "readonly" } - Add, read, or modify files stored in the apps location on the device.
  • "webapps-manage":{} - Obtain access to the navigator.mozApps.mgmt API to manage installed Open Web Apps.
  • "permissions":{} - Allow an app to manage other permissions of other apps.
  • "settings":{ "access": "readwrite" } - Configure or read device settings.
  • "wifi-manage":{} - Enumerate available WiFi networks, get signal strength, connect to a network.
  • "attention":{} - Allow content to open a window in front of all other content. Used by telephone and SMS.
  • "time":{} - Set current time. Time zone information is controlled by the Settings API. Formerly called systemclock.
  • "power":{} - Turn the screen on or off, control CPU, device power, and so on. Listen for and inspect resource lock events
  • "idle":{} - Notify the app if the user is idle.
  • "telephony":{} - Access all telephony-related APIs to make and receive phone calls.

Web Activity Handlers

The application makes the following activities available to other apps:

  • configure
    • Used by other applications to launch settings application

Web Activity Usage

The following activities are initiated:

  • ‘dial’ - Used to open URLs of protocol 'tel:' and to call a FDN contact
  • ‘view’ - Used to open URLs that begin without '#'
  • ‘pick’ - Used to pick wallpaper, and to know if purchased media exist to be chosen as ringtone

Code Review Notes

1. XSS & HTML Injection attacks

  • js/languages.js:21: option.innerHTML = lEmbedBegin + languages[lang] + lEmbedEnd;
    • languages[] comes from '/shared/resources/languages.json' so they are presumably safe. If an attacker can change/add languages to languages.json then this would be a legit injection.
  • js/simcard_manager.js:199: this.simCardContainer.innerHTML = simItemHTMLs.join();

2. Secure Communications

There are no instances of sensitive communications over HTTP. Nor are there any leaks via XHR requests.

  • js/feedback.js: need to know where feedbackObj (from currentSettings) comes from. because one of its fields is later used to perform a XHR POST request
    • OK the only field filled with user input is “email” and its verified.

3. Secure data storage

No issues relating to insecure data storage.

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

Security Risks & Mitigating Controls

Actions & Recommendations