Hi all, Here are the use cases defined by the feature today: Tom wants send a text message and selects the SMS app Tom can send a new message by: Selecting an existing contact from the Contacts app list Entering a phone number Tom is notified of all incoming messages whether he's in the SMS app, on the Home Screen, or in a 3rd party app Tom also has the ability to send an MMS (deciding if this is in for v1) MMS supports photos and short videos Tom has the ability to search through his history of SMS sent/received Tom has the ability to delete specific SMS threads The cases above look to be addressed by the categories below, but wanted to confirm with the audience here.
Thanks, Chris On Apr 18, 2012, at 6:20 PM, Lucas Adamski wrote: > Updated proposal per comments. Looking to close this out unless there are > further concerns or discussions in the next 48 hours or so. > > Name of API: Web SMS API > References: https://bugzilla.mozilla.org/show_bug.cgi?id=674725 > > Brief purpose of API: Send and recieve SMS messages > General Use Cases: None > > Inherent threats: > * Sending an SMS costs user money, premium SMS services, SMS payments etc > * Receiving SMS has privacy implications, SMS also used for 2-factor > authentication > > Threat severity: critical per > https://wiki.mozilla.org/Security_Severity_Ratings > > == Regular web content (unauthenticated) == > Use cases for unauthenticated code: App prompts user to send SMS > Authorization model for uninstalled web content: Explicit (OS Mediated) > Authorization model for installed web content: Explicit (OS Mediated) > Potential mitigations: Prompt user to send SMS. User reviews SMS in trusted > UI prior to sending. > > == Trusted (authenticated by publisher) == > Use cases for authenticated code: Full-featured SMS app, integrated messaging > apps. Read received SMSes, send MMS/SMS. > Authorization model: Explicit > Potential mitigations: Can we filter/warn on premium numbers? Note that > premium SMS trojans are currently plaguing the Android platform. > > == Certified (vouched for by trusted 3rd party) == > Use cases for certified code: SMS app > Authorization model: implicit > Potential mitigations: None beyond certification > _______________________________________________ > dev-b2g mailing list > dev-...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
