Please reply-to [email protected] Name of API: Mobile Connection API Reference: https://wiki.mozilla.org/WebAPI/WebMobileConnection
Brief purpose of API: This exposes information about the current mobile voice and data connection to (certain) HTML content. Use Cases: The primary use case for this is the status bar of the main phone UI. Inherent threats: Access to sensitive information such as: ICC-related (SIM/RUIM card) own phone number and other ICC I/O related features entering PIN, PIN2, PUK, PUK2 to unlock various states of the SIM card. Entering the PIN isn't *that* exotic, actually. Some carriers deliver their SIM cards with the PIN lock enabled, for instance. changing the PIN (also serves as enabling/disabling the PIN lock.) device-related get IMEI, IMEISV depersonalize (remove network lock) baseband-related information and features Threat severity: High == Regular web content (unauthenticated) == Use cases for unauthenticated code: None Authorization model for normal content: None Potential mitigations: None == Trusted (authenticated by publisher) == Use cases for authenticated code: None Authorization model: None Potential mitigations: None == Certified (vouched for by trusted 3rd party) == Use cases for certified code: Telephone status UI Authorization model: Implicit Potential mitigations: None Notes: Some radio feature are also accessible via Settings API _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
