Please reply-to dev-weba...@lists.mozilla.org Name of API: Web SMS API References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725
Brief purpose of API: Send and recieve SMS messages General Use Cases: None Inherent threats: * Sending an SMS costs user money, premium SMS services, SMS payments etc * Receiving SMS has privacy implications, SMS also used for 2-factor authentication Threat severity: critical per https://wiki.mozilla.org/Security_Severity_Ratings == Regular web content (unauthenticated) == Use cases for unauthenticated code: App prompts user to send SMS Authorization model for uninstalled web content: Explicit (OS Mediated) Authorization model for installed web content: Explicit (OS Mediated) Potential mitigations: Prompt user to send SMS. User reviews SMS in trusted UI prior to sending. == Trusted (authenticated by publisher) == Use cases for authenticated code: As per regular web content? Authorization model: Explicit (OS Mediated) Potential mitigations: Same as above == Certified (vouched for by trusted 3rd party) == Use cases for certified code: Replacement SMS app Authorization model: implicit Potential mitigations: None beyond certification Notes: Can only certified apps have access to read SMS messages? _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
