WebAPI Security Discussion: Mobile Connection API

[Lucas Adamski]

Please reply-to dev-w...@lists.mozilla.org

Name of API: Mobile Connection API
Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection

Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content.

Use Cases: The primary use case for this is the status bar of the main phone UI.

Inherent threats:
Access to sensitive information such as:
ICC-related (SIM/RUIM card)
own phone number and other ICC I/O related features
entering PIN, PIN2, PUK, PUK2 to unlock various states of the SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers deliver their SIM cards with the PIN lock enabled, for instance.
changing the PIN (also serves as enabling/disabling the PIN lock.)
device-related
get IMEI, IMEISV
depersonalize (remove network lock)
baseband-related information and features

Threat severity: High

== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: None
Authorization model for normal content: None
Potential mitigations: None

== Trusted (authenticated by publisher) ==
Use cases for authenticated code: None
Authorization model: None
Potential mitigations: None

== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Telephone status UI
Authorization model: Implicit
Potential mitigations: None

Notes: Some radio feature are also accessible via Settings API

[pther...@mozilla.com]

Final call for comment/changes to the permissions model for this API. Please provide comment by COB Friday June 1.

[reinv...@gmail.com]

I am late to the party on this, only having started Firefox OS development recently, but there's an issue that I've encountered that relates to this API.

I would like to have access, from non-certified apps, to the LAC, MNC, MCC, signal strength and Cell ID that are returned by window.navigator.mozMobileConnection.

Specifically, if:

var conn = window.navigator.mozMobileConnection;

then:

conn.voice.cell.gsmCellId
conn.voice.cell.gsmLocationAreaCode
conn.voice.network.mcc
conn.voice.network.mnc
conn.voice.relSignalStrength

These items can be passed to open systems like OpenCellID.org to return an approximate location, and this can be useful when it's not possible to obtain a GPS lock (indoors, for example) if one needs to present a list of nearby points of interest.

I've developed an app, getcellid, that shows how this might be done:

https://github.com/reinvented/getcellid

And I've developed a Foursquare checkin app, checkin, that could use this facility if it were available:

https://github.com/reinvented/checkin

(right now the app only works outside because that's the only place my Geeksphone Peak can get a GPS lock).

I don't dispute the high threat level of other items exposed by this API, but it seems that these data points would be useful to a variety of apps.

[Matt Basta]

You want to use the navigator.mozMobileNetwork API. You can see an example of it's usage in the wild here:

https://github.com/mozilla/fireplace/blob/master/hearth/media/js/mobilenetwork.js#L263

That will give you the MCC and MNC and some other data. You'll need to request the "mobilenetwork" permission for it to work, which means you'll need to be a privileged app.

Hope this helps!

_______________________________________________
dev-webapps mailing list
dev-w...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-webapps

[Peter Rukavina]

On Wednesday, 10 July 2013 18:19:09 UTC-3, Matt Basta wrote:
> You want to use the navigator.mozMobileNetwork API. You can see an example of it's usage in the wild here:
>
> https://github.com/mozilla/fireplace/blob/master/hearth/media/js/mobilenetwork.js#L263
>
> That will give you the MCC and MNC and some other data. You'll need to request the "mobilenetwork" permission for it to work, which means you'll need to be a privileged app.

I'm confused: I don't see any reference to the "navigator.mozMobileNetwork API" on the list of Firefox OS APIs (https://developer.mozilla.org/en-US/docs/WebAPI) and when I attempt to use the "mobilenetwork" permission in my manifest the simulator complains with "Unknown permission 'mobilenetwork'."

https://bugzilla.mozilla.org/show_bug.cgi?id=866272 seems to be where this additional feature is being discussed

Perhaps this is something not yet supported by my device (Peak running 1.0.1.0-prerelease) or the simulator?

[Harald Kirschner]

Hi Peter,

the permission is listed @ https://developer.mozilla.org/en-US/docs/Web/Apps/App_permissions

Just to make sure, you need to work on a packaged app and set the type to "privileged" to be able to add the permission "mobilenetwork".

To ensure that you have the latest Simulator version, download the latest 4.x preview from https://ftp.mozilla.org/pub/mozilla.org/labs/r2d2b2g/ , or wait a short time to see the 4.0 announcement on our hacks blog. It is working in 1.0.1, especially as the Marketplace is using the code linked by Matt.

---
Harald Kirschner | Partner Engineer & Web Craftsman | har...@mozilla.com (mailto:hkirs...@mozilla.com)

> _______________________________________________
> dev-webapps mailing list
> dev-w...@lists.mozilla.org (mailto:dev-w...@lists.mozilla.org)
> https://lists.mozilla.org/listinfo/dev-webapps
>
>

[jeremie....@gmail.com]

As a little addition be aware that the end point is navigator.mozMobileConnection for both certified and privileged application (navigator.mozMobileNetwork does not exist).

That said, note that the information provide are different (certified applications can access more information).

Best,
Jeremie

[Peter Rukavina]

On Wednesday, 10 July 2013 23:35:36 UTC-3, Harald Kirschner wrote:

> Just to make sure, you need to work on a packaged app and set the type to "privileged" to be able to add the permission "mobilenetwork".

> To ensure that you have the latest Simulator version, download the latest 4.x preview from https://ftp.mozilla.org/pub/mozilla.org/labs/r2d2b2g/ , or wait a short time to see the 4.0 announcement on our hacks blog.

I've installed the latest Simulator:

https://ftp.mozilla.org/pub/mozilla.org/labs/r2d2b2g/r2d2b2g-4.0pre9-mac.xpi

I've updated my app, "getcellid" to use "mobilenetwork" permission instead of "mobileconnection" and changed its type from "certified" to "privileged":

https://github.com/reinvented/getcellid/tree/mobilenetwork

And yet the Simulator still flags the manifest as invalid:

"Unknown permission 'mobilenetwork'."

Am I still doing something wrong?

[Peter Rukavina]

> And yet the Simulator still flags the manifest as invalid:
>
> "Unknown permission 'mobilenetwork'."

I am wading in way over my head now, but here's what I've found by looking at the Firefox Simulator source.

It's resources/r2d2b2g/lib/validator.js that does the validation of the manifest.

This script loads the list of valid permissions from resource://gre/modules/PermissionsTable.jsm

When I open that URL in Firefox, the "mobilenetwork" permission is NOT listed.

However, in the file included with the Simulator extension:

resources/r2d2b2g/data/mac64/B2G.app/Contents/MacOS/modules/PermissionsTable.jsm

this permission IS listed:

mobilenetwork: {
app: DENY_ACTION,
privileged: ALLOW_ACTION,
certified: ALLOW_ACTION
},

Which makes me think that my Simulator is getting this resource from the wrong place, or from an out of date place.

This discussion has likely exceeded the boundaries of this thread by now, but I'd welcome pointers as to how to address this issue.

[Peter Rukavina]

On Thursday, 11 July 2013 17:24:10 UTC-3, Peter Rukavina wrote:

> Which makes me think that my Simulator is getting this resource from the wrong place, or from an out of date place.

Supplemental:

If I open the URI resource://gre/modules/ in my Firefox it's displayed with:

Index of jar:file:///Applications/Firefox.app/Contents/MacOS/omni.ja!/modules/

at the top of the page, so presumably that's where the PermissionsTable.jsm is coming from, not from the Simulator's verion.

Again, way over my head here.

[Matt Basta]

This is definitely a simulator bug. Feel free to report the issue here:

https://github.com/mozilla/r2d2b2g/issues

It *should* work, though. As a potential temporary workaround, can you check to make sure your version of Firefox is up-to-date?

----- Original Message -----
From: "Peter Rukavina" <reinv...@gmail.com>
To: dev-w...@lists.mozilla.org
Sent: Thursday, July 11, 2013 1:30:41 PM
Subject: Re: WebAPI Security Discussion: Mobile Connection API

_______________________________________________
dev-webapps mailing list
dev-w...@lists.mozilla.org

https://lists.mozilla.org/listinfo/dev-webapps

[Peter Rukavina]

On Thursday, 11 July 2013 17:40:45 UTC-3, Matt Basta wrote:

> This is definitely a simulator bug. Feel free to report the issue here:
>
> https://github.com/mozilla/r2d2b2g/issues
>
> It *should* work, though. As a potential temporary workaround, can you check to make sure your version of Firefox is up-to-date?

Reported the issue here:

https://github.com/mozilla/r2d2b2g/issues/711

(and confirmed here that I'm running Firefox 22.0 and the latest version of the Simulator).