Many older versions of the Android dialer support a special dial string of "*#06#", which wipes the device. This can be triggered directly from a website by loading the URL "tel:*#06#", which usually involves user confirmation to dial but does not in any way communicate the associated risk to the user.
http://www.theverge.com/2012/9/26/3412432/samsung-touchwiz-remote-wipe-vulnerability-android-dialer?utm_medium=referral&utm_source=pulsenews Lessons to take away from this: a) APIs that can compromise device/OS integrity or confidential user info should only be exposed through well defined and documented APIs (i.e. not magic tokens) b) only expose those APIs through user workflows that explicitly inform and obtain consent from the user before continuing c) never rely on obfuscation Lucas. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
