Final call for comment/changes to the permissions model for this API. Please provide comment by COB Friday June 1.
On Tuesday, 8 May 2012 06:35:42 UTC+10, Lucas Adamski wrote: > Please reply-to [email protected] > > Name of API: Mobile Connection API > Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection > > Brief purpose of API: This exposes information about the current mobile voice > and data connection to (certain) HTML content. > > Use Cases: The primary use case for this is the status bar of the main phone > UI. > > Inherent threats: > Access to sensitive information such as: > ICC-related (SIM/RUIM card) > own phone number and other ICC I/O related features > entering PIN, PIN2, PUK, PUK2 to unlock various states of the SIM card. > Entering the PIN isn't *that* exotic, actually. Some carriers deliver their > SIM cards with the PIN lock enabled, for instance. > changing the PIN (also serves as enabling/disabling the PIN lock.) > device-related > get IMEI, IMEISV > depersonalize (remove network lock) > baseband-related information and features > > Threat severity: High > > == Regular web content (unauthenticated) == > Use cases for unauthenticated code: None > Authorization model for normal content: None > Potential mitigations: None > > == Trusted (authenticated by publisher) == > Use cases for authenticated code: None > Authorization model: None > Potential mitigations: None > > == Certified (vouched for by trusted 3rd party) == > Use cases for certified code: Telephone status UI > Authorization model: Implicit > Potential mitigations: None > > Notes: Some radio feature are also accessible via Settings API _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
