There have been some concerns raised recently from Jonas and Doug Turner regarding the WebSMS model, regarding the ability for Privileged apps (The App Type Formerly Known As Trusted, ie. TATFKAT) to send SMS/MMS at all.
Per our current schedule, realistically we can't implement the suggested mitigations such as warning on premium numbers for 1.0. Instead, we could disallow access to SMS/MMS for Privileged apps entirely.
Keep in mind that per the model Privileged apps require review and approval, plus the user is prompted before the app has any access to the SMS API (additionally, we expect that any app requesting this API would also provide an "intended usage", which would in turn be reviewed and approved).
I personally think this risk is reasonable and (unlike other platforms) users who don't think a given app needs SMS access will simply deny the permission prompt.
Thoughts?
Lucas.
On Apr 18, 2012, at 6:20 PM, Lucas Adamski wrote:
> Updated proposal per comments. Looking to close this out unless there are further concerns or discussions in the next 48 hours or so.
>
> Name of API: Web SMS API
> References:
https://bugzilla.mozilla.org/show_bug.cgi?id=674725
>
> Brief purpose of API: Send and recieve SMS messages
> General Use Cases: None
>
> Inherent threats:
> * Sending an SMS costs user money, premium SMS services, SMS payments etc
> * Receiving SMS has privacy implications, SMS also used for 2-factor authentication
>
> Threat severity: critical per
https://wiki.mozilla.org/Security_Severity_Ratings
>
> == Regular web content (unauthenticated) ==
> Use cases for unauthenticated code: App prompts user to send SMS
> Authorization model for uninstalled web content: Explicit (OS Mediated)
> Authorization model for installed web content: Explicit (OS Mediated)
> Potential mitigations: Prompt user to send SMS. User reviews SMS in trusted UI prior to sending.
>
> == Trusted (authenticated by publisher) ==
> Use cases for authenticated code: Full-featured SMS app, integrated messaging apps. Read received SMSes, send MMS/SMS.
> Authorization model: Explicit
> Potential mitigations: Can we filter/warn on premium numbers? Note that premium SMS trojans are currently plaguing the Android platform.
>
> == Certified (vouched for by trusted 3rd party) ==
> Use cases for certified code: SMS app
> Authorization model: implicit