Security/Reviews/WebBluetooth2

WORK IN PROGRESS

FirefoxOS Review Details

• API: Bluetooth API - Version 2
• Review Date: September 2014
• Review Lead: Paul Theriault

Context

Work is currently underway to implement a new version of the Gecko Bluetooth API. The key changes are:

• new API, using webidl
• Bluetooth will be exposed to privileged apps
• new bluetooth profiles supported

Scope

This review focuses specifically on the new API itself. Review of the Gaia bluetooth app Configuration of Wifi via the settings (and other Apps)

• Gecko
  • The new interfaces: https://wiki.mozilla.org/B2G/Bluetooth/WebBluetooth-v2#Interfaces
  • Bluetooth permission enforcement (which functions are available to which app types)
  • Messaging (child/parent)

As the API is still in development, this review is a design review only (testing to be conducted at a later stage).

Components

• Bluetooth Manager: Allows getting a list of adapters, and listening for when adapters change (BluetoothAdapterEvents which detail adapter's name and mac address)
• Bluetooth Adapter: contains all details of an adatper (inc mac address and current discovery state)
  • Contains a bluetoothPairingListener which is only available to certified apps. This is used to handle pairing requests

Blue

Relevant Source Code

The code for the new API is stored in the /dom/bluetooth2 directory of gecko source code: http://dxr.mozilla.org/mozilla-central/source/dom/bluetooth2

Permission Model

• Paste from Permissions Table.jsm (see below)
• Discuss anything special like access
• Discuss where permissions are enforced (access to object, on IPC messages, at each function call etc)

 "wifi-manage": {
 190                              app: DENY_ACTION,
 191                              privileged: DENY_ACTION,
 192                              certified: ALLOW_ACTION
 193                            },

Review Notes

1. Content/Chrome Segregation

2. Process Segregation

All bluetooth commands are executed via a "Bluetooth Service". This service has a parent and child component, and all commands end up being executed in the parent. Most of the parent code is in dom/bluetooth2/ipc/BluetoothParent.cpp

GetAdaptersRequest;

 StartBluetoothRequest;
 StopBluetoothRequest;
 SetPropertyRequest;
 GetPropertyRequest;
 StartDiscoveryRequest;
 StopDiscoveryRequest;
 PairRequest;
 UnpairRequest;
 SetPinCodeRequest;
 SetPasskeyRequest;
 ConfirmPairingConfirmationRequest;
 DenyPairingConfirmationRequest;
 ConnectedDevicePropertiesRequest;
 PairedDevicePropertiesRequest;
 FetchUuidsRequest;
 ConnectRequest;
 DisconnectRequest;
 SendFileRequest;
 StopSendingFileRequest;
 ConfirmReceivingFileRequest;
 DenyReceivingFileRequest;
 ConnectScoRequest;
 DisconnectScoRequest;
 IsScoConnectedRequest;
 AnswerWaitingCallRequest;
 IgnoreWaitingCallRequest;
 ToggleCallsRequest;
 SendMetaDataRequest;
 SendPlayStatusRequest;

3. Data validation & Sanitization

4. Denial of Service

Security Risks & Mitigating Controls

• At a minimum, something like Web NFC discussion
• Maybe more in-depth if needed e.g./Security/Reviews/Identity/browserid#Threat_Model BrowserID (persona)

Actions & Recommendations

• List of recommendations, and corresponding bug numbers
• For sensitive bugs, just put bug number (or omit entirely maybe it is really dangerous & obvious)