W3C

Device API Policy Requirements

W3C Editor's Draft 18 May 2010

This version:
http://dev.w3.org/2009/dap/policy-reqs/
Latest published version:
http://www.w3.org/TR/dap-policy-reqs/
Latest editor's draft:
http://dev.w3.org/2009/dap/policy-reqs/
Previous version:
none
Editors:
Laura Arribas, Vodafone
Paddy Byers, Aplix
Marcin Hanclik, ACCESS Co., Ltd.
Frederick Hirsch, Nokia
David Rogers, OMTP

Copyright © 2010 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.

Abstract

This document includes use cases and policy requirements for device APIs.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This document was published by the Device APIs and Policy Working Group as an Editor's Draft. If you wish to make comments regarding this document, please send them to public-device-apis@w3.org (subscribe, archives). All feedback is welcome.

Publication as a Editor's Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

This document is an editors draft and currently does not reflect consensus of the WG but rather is a starting point for further work. It is based on input documents and list discussion.

The security framework described in this document is intended to be applicable both to widgets and web applications (web site access to Device APIs).

2. Definitions

The following definitions are used in this document.

Access Control

It is referred to the management of controlling access to device API and its underlying resources i.e. whether to allow or disallow the Access Control is a function of two methods that may or may not be mutually exclusive:

  1. Access Control by declaration - refers to a method wherein the author of the application seeks access to specific device APIs i.e. by declaring the application author's intent. Example, by declaring the Feature to which the application intents to access and the domain or network resources that may need to access that particular Feature during the lifecycle of the application.

  2. Runtime Policy Enforcement - refers to method wherein a security policy is applied at the runtime based on underlying implementation of the Device API, which maybe based on several factors e.g. the context in which the device API is accessed, terms of deployment, etc.
Application

Code that may make use of DAP Device APIs. Application code can be widgets or web applications running in a browser, for example.

Device API

A Device API is a collection of Javascript interfaces structured in terms of methods and properties. Device APIs are used by applications to access Device Capabilities.

Device Capability

A Device Capability is a device resource or device functionality, which may require access control.

Examples of device capabilities are the ability to read a local file, or to discover nearby Bluetooth devices, or to send an SMS message. Device Capabilities may be defined in a way that is independent of the specific Device APIs that an application uses to access them.

Although there are simple Device APIs that provide access only to a single Device Capability, there are also more complex APIs that expose multiple Device Capabilities; examples might include a camera API that provides the ability to geotag a photo with the current location, or a messaging API that provides the ability to access documents stored locally and attach them to outgoing messages. Therefore, enabling or disabling access to a specific Device Capability may not directly correspond to enabling or disabling access to a single Device API interface.

Explicit Consent

A user action directly related to a query for the user's consent, for an action to be taken by the application, or for an application lifecycle action. An example of explicit consent for an application action is a positive user response to a query by the web runtime, asking whether an application should be allowed to take a photograph. Examples of explicit consent for an application lifecycle action include a positive user response to a query by:

  • A positive user response to a query by the web runtime upon application installation, asking whether an explicitly disclosed set of API requests by the application should be allowed.
  • A positive user response to a query by the application storefront upon application selection and download, asking whether an explicitly disclosed set of API requests by the application should be allowed.
Feature

A Feature is a set of Device APIs that provides access to specified Device Capabilities. A Feature is the unit of expression of dependencies by Web Applications.

Implicit Consent

A user action that is semantically meaningful in the application context but which also implies that the user wishes the action to proceed. An example is pressing a camera shutter to take a photograph, implying consent to the act of taking a photograph.

3. Policy Use Cases

This section proposes a set of specific use cases to assist in the definition and validation of a policy framework.

Use cases are organised into three categories:

The use cases are not claimed to be exhaustive, but illustrative.

3.1 Policy management

These use cases relate to how a policy is created, configured and maintained.

Use cases vary according to:

3.1.1 Use case PM1: user-controlled configuration

In this use-case:

  • the user of a device is the sole authority that decides access rights of applications;
  • there is a "universal default" initial policy configuration;
  • there is no external policy authority and hence no externally-triggered policy update. Policy maintenance occurs only to the extent that the user modifies configuration settings interactively via a "preferences" facility, or asks the UA to remember certain responses to prompts.

This use-case is the expected case in most situations where there is no external policy authority such as a network operator or enterprise.

Although the initial configuration is "empty" (ie it only contains universal default rules), it is possible for the policy to be extended over time as the cumulative result of explicit user configuration and persistently remembered user decisions.

The configured policy, at any given time, may be stored locally on the device or may be stored remotely and be accessible via a network service, or both.

3.1.2 Use case PM2: user-delegated configuration

In this use-case:

  • the user of a device delegates authority for access control policy to an external service provider;
  • the external service provider provides advice on the trustworthiness of specific applications, and determines an access control policy that embodies that advice. The advice may be based on a knowledgebase of known trustworthy and/or malicious applications, or algorithms for detecting malicious behaviour, or both;
  • the policy defined by the external authority is updated regularly in response to new information on known threats.

The policy configuration provided by the external policy provider may be supplemented by user control as in PM1.

The configured policy, at any given time, may be stored locally on the device or may be stored remotely and be accessible via a network service, or both.

This use-case mirrors current practice with products such as virus scanners or other malware detectors.

3.1.3 Use case PM3: external policy authority

In this use case:

  • an external body has authority over the device and, in particular, security policy configuration.
  • an initial security policy configuration may be provided by the external authority, together with any other associated device configuration (such as root certificates). The configured policy may determine acces control policy without reference to the user, or may refer certain decisions to the user.
  • the policy may be updated periodically under the authority of the policy authority. Policy maintenance may also occur as the cumulative effect of certain user decisions being remembered.

The external policy authority may configure the policy as part of the commissioning of the device (eg a network operator's configuration applied by the manufacturer prior to sale, or an enterprise configuring device policy using a secured device management interface).

In determining the policy, the policy authority has the opportunity to define a policy that supports a specific objective - such as to limit access to APIs to only those web applications that are themselves distributed by the policy authority (eg to control its exposure to the financial risk of abuse of device APIs).

3.2 Policy interoperability

These use cases relate to reading and writing of policy definitions in an interoperable format.

3.2.1 Use case PI1: device-independent policy definition

In this case case, a single policy authority wishes to define and configure a security policy for multiple dissimilar devices. A typical network operator's portfolio many include tens or even hundreds of models, each based on different platforms, and different UAs. A commonly supported interoperable format for configuration of a policy dramatically impacts the practicality of achieving the desired configuration across all devices. This is relevant to Policy Management use case PM3.

3.2.2 Use case PI2: portability of user settings

A user may establish a policy configuration (through explicit configuration of preferences, and remembered decisions) and there is the option of reusing this configuration across multiple devices. A user with multiple devices may wish for their security preferences to be consistent (or to at least have the option of consistency) across those devices. Rather than have to manually configure the preferences on each device, it should be possible for there to be a seamless security experience across devices, e.g. by switching SIM card between devices and as a result automatically applying a policy resident on the SIM card or synchronizing with a network-based policy management system. A specific case is the case where a user wishes to transfer a configuration from an old device to a new device. This is relevant to Policy Management use cases PM1, PM2, PM3.

3.2.3 Use case PI3: policy provisioning as part of service deployment

Configuration of some parts of access control policy may be part of the overall configuration required to enable a particular application or service. This, along with many other configuration parameters, may be remotely configurable via device management. The configuration required to enable a service may be provided by the service provider as a policy fragment, to be added to the overall policy by the policy authority. An interoperable representation of such policy fragments would enable this to be done without authoring the configuration updates separately for each target device, platform, or UA.

3.3 Examples of statements or rules that may be expressed in a policy

These use cases are specific examples of statements or rules that may be expressed in a policy.

Example web site use cases, to give examples of the types of policy that might be expressed:

3.4 Abuse Cases

This section outlines some abuse cases for misuse of APIs.

The landscape that is being created is the enablement of cross-platform, cross-device, easy to develop, highly functional applications based on browser technology that has been proven repeatedly to be untrustworthy - a perfect recipe for evil. Will this meet all the criteria for really successful malware on mobile devices for example?

Up until now the measures taken by the mobile industry have proven highly successful in ensuring no major malware incident has affected the industry. There have been attempts: the MMS-spreading Commwarrior is probably the most infamous, along with the Spyware tool, Flexispy. An additional factor in ensuring the success of mobile security has been the fact that mobile platforms have been too fragmented and complex, therefore not representing an attractive target so far. Existing modus operandi from technology-related attacks can provide indicators as to the types of attack and abuse that can be expected on widgets and web applications as device APIs are opened up.

3.4.1 Abuse Case AC1: Premium Rate Abuse

A widget that seems benign but is actually spewing out SMSs to premium rate numbers without the user’s knowledge. This could be modified from an original safe widget such as a game. For the malware author, the key piece to solve is to dupe the user into thinking that the SMS capability is something that is part of the original application. Examples of this have been seen in the past, created from games and this model could be used for ‘diallers’ too (which plagued the desktop world in the days of dial-up networking). There have been recent warnings about this kind of abuse from security firms.

3.4.2 Abuse Case AC2: Privacy Breach

An application that gains access to locations, contacts and gallery, silently uploading the data in the background to a site owned by the attacker. This is something that has been a clear goal for attackers already. There have been numerous high-profile examples in the past in the mobile world. Celebrities such as Paris Hilton, Miley Cyrus and Lindsay Lohan have all had private pictures, phone numbers and voicemails stolen from devices or networks in clear breach of their privacy. There has been embarrassment for teachers who had their pictures and videos copied by the children in their class and spread around school. The most high-profile case in the UK of a mobile related privacy breach was that of the News of the World's use of voicemail hacking to gain access to private information about Royalty. The Royal editor, Clive Goodman was jailed for four months and the editor, Andy Coulson resigned over this blatant privacy breach. Given the appetite for breaching privacy, users need to be safe in the knowledge that their personal data will not leak in any way.

3.4.3 Abuse Case AC3: Integrity Breach

A widget that replaces the voicemail number with a premium rate number instead? There are number of reasons why an attacker would want to breach the integrity of the device. Simply changing the telephone number of the voicemail that is stored on the device could be enough to make an attacker a lot of money. Users usually have a shortcut key to their voicemail and may not notice for a long time that anything is wrong. A more sinister use could be to plant evidence on a device. Pictures, files and even criminal contacts could potentially be anonymously planted all without the user's consent or knowledge. Proving innocence could suddenly become very difficult. There are also a number of reasons why somebody would want to steal data. The contents of corporate e-mails would be very interesting to a competitor, as would sabotaging data stored in spreadsheets and presentations on the target phone.

3.4.4 Abuse Case AC4: Phishing

A widget that replaces the voicemail number with a premium rate number instead? There are number of reasons why an attacker would want to breach the integrity of the device. Simply changing the telephone number of the voicemail that is stored on the device could be enough to make an attacker a lot of money. Users usually have a shortcut key to their voicemail and may not notice for a long time that anything is wrong. A more sinister use could be to plant evidence on a device. Pictures, files and even criminal contacts could potentially be anonymously planted all without the user's consent or knowledge. Proving innocence could suddenly become very difficult. There are also a number of reasons why somebody would want to steal data. The contents of corporate e-mails would be very interesting to a competitor, as would sabotaging data stored in spreadsheets and presentations on the target phone.

4. Requirements

4.1 User Control

Prompts should be eliminated whenever possible. Many prompts do not provide any meaningful security because:

If prompts are shown and dismissed as a matter of routine, then the user is less inclined to take any security decision seriously, which further undermines the effectiveness of a user-driven access control system.

It is important to note that modal prompts (i.e. prompts that block all other user interaction until dismissed) seriously compromise the user experience. Modal security prompts should be avoided.

Any prompt or dialog that requests a user security decision at runtime (e.g. at the time a sensitive action is attempted) can be non-modal if the API that initiates it is asynchronous. DAP APIs must be designed so that all operations that could potentially trigger a prompt are asynchronous.

If user decisions are themselves expressible in the policy language, then they can be "remembered" by adding a policy-set and/or rule to the policy. Similarly, user configuration settings should be possible in the policy language. This means that the policy document is not just a way of creating an initial policy configuration, but can be the sole and complete representation of the access control configuration at any time.

  • User authorization vs other policy authority

    Support for trust models other than user security decisions needed?

    This issue is who makes security decisions; in particular whether the user is the sole authority for decisions (whether by configuration of settings, or responses to prompts, or both) or there is another authority that determines the rights given to an application.

    Many existing ecosystems for mobile applications are based on a trust model in which a particular distributor (such as a network operator) certifies an application as trustworthy, eliminating run-time user prompts in some cases. This approach avoids the disadvantages of prompts, but at the expense of taking real-time control away from the user in those cases. Other approaches, such as BONDI, do not hard-code this type of trust model, but nonetheless provide for a policy authority to determine an access control policy, and this policy can require that certain decisions are made without reference to the user.

    Although the role of any access control policy, and authority over it, are beyond the scope of this particular issue, DAP's approach to prompting must take these possibilities into account.

  • Granularity of user decisions

    What is the correct granularity of security decisions presented to user? Perhaps this should be stated in policy. What is the linkage to application logic?

    This issue is whether the user is presented with a single security decision that covers multiple operations, or independent prompts for individual operations. Blanket authorization for an application to use multiple APIs, as often as required, eliminates run-time prompts but also may leave the user without the context required to make a meaningful security decision. Also, a user may not be prepared to give blanket approval for a certain operation but may instead wish to give permission in specific circumstances only.

    DAP should not presuppose that an approach involving blanket permissions only (e.g. implicit granting of blanket permission by allowing installation to occur, or an explicit blanket permission given when the application is first run) is the right answer. Different permission granularities have advantages for different use cases and we should require a system that supports all use cases effectively. DAP should follow industry practice in these cases, and provide permission granularities consistent with those widely deployed in the mobile market.

4.1.1 User Control Requirements

  • The security framework must not require User Agents to present modal dialogs to prompt users for security decisions, while the application is running.
    • Note: modal dialogs may be required for security prompts provided during application installation or invocation.
  • The security framework should allow users to have control over general configuration of security decisions
  • The security policy framework should make it possible to record security configuration choices and interactive policy decisions using the policy markup language format.

4.2 Policy

4.2.1 Portable Policy

It should be possible for policy to be defined in a portable device-independent manner.

4.2.1.1 Portable Policy Requirements
  • Security Framework must be separable from policy statements. Note that this may be a consequence of declarative policy statements.
  • Access control policy must be stated in declarative manner.
  • The DAP policy language must define an XML syntax for that language.

4.2.2 Policy Targets

Declarative policy is used for access control decisions for various capabilities, such as actions that may be performed, as invoked by specific API calls for example.

Examples of device capabilities independent of API include the "read local filesystem" device capability or the "geolocation" device capability. A corresponding access control decision based on capability alone is a policy stating that an application shall have no access to geolocation, regardless of API used. Examples of feature access control include a messaging API that permits files to be attached to messages using the "read local filesystem" device capability, or a camera API that permits captured photos to be geotagged, using the "geolocation" device capability.

Capabilities need to be defined portably. Examples of granularity - a shared file needs to be distinguishable from an application's private file, and a Bluetooth port needs to be distinguishable from a USB serial port.

4.2.2.1 Policy Target Requirements
  • Capabilities must be defined for all sensitive device resources and functionality.
  • Capabilities must be identified by strings associated with API definitions produced by the DAP WG.
  • Features must be identified by IRI.
4.2.2.2 Issue - CRUD

Features defined according to CRUD, one feature for Create, Read, Update, Delete?

Feature parameters to avoid explosion of capabilities and features? e.g. file open with either read or write parameter. ( see discussions in minutes of October 7 call )

4.2.3 Policy Integrity

It should be possible for policy to be integrity protected during various points in its life-cycle.

4.2.3.1 Policy Integrity Requirements
  • It must be possible to provide integrity protection and source authentication for policy.

4.3 Security Framework

4.3.1 Security Framework Requirements

  • The DAP security framework must not preclude different authorities defining the security policy.
  • The Security Framework must allow multiple instantiations of a web runtime with independent security decisions
  • The Security Framework must be application language independent
  • The Security Framework must be Javascript capable and define a Javascript binding
  • It must be possible to have separate policy decision and enforcement points
  • The DAP security model should be compatible with the same origin policy.

4.3.2 Access Control Requirements

  • Access control decisions may be made at both the granularity of Features and Device Capabilities.
  • The security framework must support access control decisions based on device capabilities, independent of API.
  • The security framework must support access control decisions based on features (one or more capabilities bound to a device API).
  • The security framework must support sufficient granularity for sensible access control decisions.

( see ISSUE-21 - OPEN ) Is access control at the feature level required or is access control at the device capability level adequate?

5. Out of Scope

A. Acknowledgements

The editors would like to extend special thanks to Nokia, OMTP BONDI, and PhoneGap for providing the foundation of the working group's requirements discussion.

B. References

B.1 Normative references

No normative references.

B.2 Informative references

No informative references.