ContextQMD
Back to Thunderbird Android

πŸ“– Threat Modeling Guide

docs/security/threat-modeling-guide.md

6.90424.2 KB
Original Source

πŸ“– Threat Modeling Guide

This guide walks you through how to apply the STRIDE methodology for identifying and addressing security risks in Thunderbird’s mobile clients. Each step includes examples specific to Android/iOS email handling. Use it during design, feature work, and release planning. Keep sessions short and focused.

[!NOTE] Start small. Pick a single feature or flow. The goal is to surface and mitigate risks early, not to produce perfect documentation.

STRIDE Quick Reference

We’ll use the STRIDE framework to help identify common types of threats:

  • Spoofing: Impersonating someone or something else (e.g., faking identity, app, servers).
  • Tampering: Unauthorized modification of data, code or configuration (e.g., altering a file, changing network packets).
  • Repudiation: Denying actions that occurred without reliable attribution/logging
  • Information Disclosure: Revealing sensitive data to unauthorized individuals (e.g., leaking PII, credentials).
  • Denial of Service: Preventing legitimate users from accessing a service or resource (e.g., crashing a server, exhausting resources).
  • Elevation of Privilege: Gaining unauthorized access to higher-level permissions (e.g., a regular user becoming an administrator).

How to use this guide

Below is a simple, repeatable workflow. Each section provides prompts and examples. Capture notes in your feature’s issue/PR or a short doc.

Threat Modeling Workflow

1. Project Overview

What to do:

Write down what Thunderbird Mobile is, what it does, and its major features. This frames the context of your threat model.

Example:

  • Project Name: Thunderbird for Android
  • Description: A mobile email client providing access to IMAP/POP3/SMTP accounts with support for OAuth, local message storage, PGP/SMIME, and notifications.
  • Key Features: Account setup, secure login, message sync, local storage, notifications, attachments, encryption support.

2. Define Scope

What to do:

Pick one area to model at a time. Define clear boundaries. Don’t try to cover the entire app in one go.

Examples:

  • Account authentication and credential storage
  • OAuth2 login for Gmail/Outlook providers
  • Message synchronization with mail servers: connection management, IDLE, message fetch
  • Local message storage and full‑text index
  • Attachment handling: view/save/share flow
  • Background services and notifications (Android)
  • OpenPGP signing/encryption/decryption (Android)

3. Draw a System Diagram

What to do:

Draw a simple diagram (use Mermaid) of the project within your chosen scope. Identify:

  • Key Components: UI, storage, crypto, background jobs, network services
  • Data Flows: How information moves between components.
  • Trust Boundaries: Where different levels of trust exist (e.g., separating user input from backend processing, public network vs. internal network).
  • Actors: User, external systems, third-party services, Attackers
  • Data Stores: Local database (messages, headers, metadata), file storage (attachments, cache), Android Keystore (tokens/keys), logs/metrics (if enabled), cryptographic keyrings

Example (Account Authentication):

  • Actors: User, Thunderbird app, IMAP/SMTP server, OAuth provider, Attacker, Push providers, OS keychain, other apps via Intents/Shares
  • Data Flows:
    • User enters credentials or OAuth flow
    • App exchanges tokens with server
    • Tokens stored locally in Keystore/Secure Enclave
  • Trust Boundaries:
    • User input (untrusted) β†’ App UI
    • App β†’ Mail server (TLS required)
    • App β†’ Local storage (protected by OS sandbox & keystore)

Use this Mermaid diagram as a starting point; copy it into your notes and adjust for your scope.

mermaid
flowchart LR
   subgraph Interaction 
       USER[End User]
       ATTACKER[Attacker: Malicious App, Network, User]
   end 
    
  subgraph "Mobile Client"
     APP[Mobile App]
     CRYPTO[Crypto: OpenPGP/S-MIME]
     STORAGE[Local Storage: SQLite, Files, KeyStore]
     BACKGROUND[Background Services: Sync, Notifications]
     OAUTH[OAuth via Browser/Custom Tabs]
  end

  subgraph "External Services"
     OAUTH_PROVIDER[(OAuth2 Providers: Google/Microsoft/etc)]
     PUSH[(Push: FCM, APNs)]
     MAIL[(IMAP/POP3 Servers)]
     SMTP[(SMTP Servers)]
     AUTO_CONFIG[(Autoconfig/Autodiscover)]
  end

  USER -->|Uses app| APP
  ATTACKER -.->|Phishing, MITM, Malicious app| APP
  APP <--> STORAGE
  APP <--> CRYPTO
  APP <--> BACKGROUND
  APP -->|OAuth browser| OAUTH --> OAUTH_PROVIDER --> APP
  BACKGROUND <--> PUSH
  BACKGROUND <--> MAIL
  BACKGROUND <--> SMTP
  APP <--> AUTO_CONFIG

  classDef external fill:#fff3,stroke:#f66,stroke-width:2px;
  class MAIL,AUTO_CONFIG,OAUTH_PROVIDER,PUSH,SMTP external;

4. Identify Assets

What to do:

List what you want to protect for your scope.

  • Data: Credentials, tokens, email content, attachments, keys, contacts
  • Functionality: Ability to send/receive email, sync, notifications
  • Reputation: User trust, brand image, compliance with store policies
  • Availability: Access to email, notifications working, sync reliability

5. Identify Threats (Using STRIDE)

What to do:

For each component, data flow, and interaction identified in your diagram, ask STRIDE questions:

Example:

Component / Data Flow / InteractionSpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
OAuth2 Login (App ↔ OAuth Provider)Fake OAuth page via phishing/intent hijackIntercept/alter redirect URIUser denies consent laterTokens/PII leaked in logs/URLsProvider rate limitsApp requests excessive scopes
Password Auth (App ↔ Mail/SMTP)MITM captures creds / server spoofModify TLS sessionDeny failed loginsCredentials in memory/backupsBrute-force lockoutsApp uses elevated IMAP/SMTP roles
IMAP/SMTP TLSSpoof certs without pinningDowngrade protocol/cipherβ€”Metadata leaks in trafficConnection exhaustionProtocol quirks abused
Local StorageMalicious app pretends to be ThunderbirdDB/file tampering on rooted deviceUser denies local actionLeaks via backups/cacheStorage exhaustionSandbox escape
Keystore / KeychainFake app tries to use aliasKey misuseβ€”Extraction on rooted/jailbroken devicesKeystore unavailableHardware bypass
OpenPGP / S-MIMEKey ownership spoofingKeyring/signature tamperingDispute sent signaturesDecrypted data in RAM/tmpExpensive crypto stalls UIAccess other apps’ keys
Attachments & SharingMalicious target app interceptsTemp file tamperingβ€”World-readable URIsHuge file upload stallsExcess file access
NotificationsFake notification spoofAlter PendingIntentsβ€”Sensitive lockscreen previewsSpam stormsPrivileged actions triggered
Background SyncFake wakeups/intentsJob params alteredβ€”Logs leak PIIEndless sync drains batteryPrivileged execution
AutodiscoveryMalicious config hostAlter SRV/HTTP responseβ€”Domain/email leaked to third partiesSlow setup blocksElevated server access
Inter-app IntentsOther app claims TB filtersExtras modifiedβ€”Data leaked to unintended receiversIntent floodsBypass auth gates
Logging / Telemetryβ€”Log modificationUser denies actionsPII in logsDisk filledLogs help attacker
iOS Keychain & APIsPhishing ASWebAuthSessionKeychain tamperβ€”Keys/files leak to iCloudBackground fetch abusedApp Group misuse

6. Add Mitigations

What to do:

For each threat, describe what you’ll do about it.

Example:

Threat IdentifiedProposed Mitigation
OAuth redirect interception / fake OAuth pageUse system browser (Custom Tabs / ASWebAuthSession); claimed HTTPS redirect URIs; verify state/nonce; PKCE; minimize scopes; store tokens in Keystore/Secure Enclave; rotate refresh tokens
Redirect URI tamperingEnforce exact redirect match; strict validation
Excessive OAuth scopesScope minimization; review/limit permissions
MITM during password authenticationTLS 1.2+ (prefer 1.3); strict hostname verification; consider pinning for known providers; prefer implicit TLS over STARTTLS
Credential leakage (memory, logs, backups)Encrypt at rest with Keystore-derived keys; zeroize memory; redact logs; protect screenshots; mark sensitive dirs as no-backup
IMAP/SMTP STARTTLS downgradePrefer implicit TLS; reject weak suites; enforce hostname checks
Local DB tamperingEncrypt per-account DB keys (wrapped by Keystore); integrity checks
Local DB leakage via backups/cacheInternal app storage only; opt-out sensitive paths from auto backup; FileProvider URIs with time-limited grants
Spoofed notificationsOnly accept OS push channels (FCM/APNs); verify app identity
Sensitive lock-screen previewsRedact by default; user toggle for previews; use immutable PendingIntents and explicit components
PendingIntent tamperingUse FLAG_IMMUTABLE; explicit component declarations
Attachment exfiltration via world-readable filesSAF/DocumentFile APIs; FileProvider URIs; no world-readable files; enforce MIME checks and size limits
Sync loops draining battery/dataBackoff with jitter; network/battery constraints; circuit breakers; validate job inputs
Malicious autodiscovery configsPrefer HTTPS; validate domains; ship trusted provider directory; warn on insecure configs
OpenPGP/S-MIME plaintext residueIsolate decrypted buffers; wipe temp files; constant-time crypto; disable remote content by default; clear trust UX
Token theft from logsStructured logging with allowlist fields; redact headers/URLs
Intent spoofing / inter-app abuseMinimize exported components; explicit intents; verify caller UID; require permissions
Logging/Telemetry leaksOpt-in; redact PII; bounded retention; local-first storage
iOS Keychain/data leakageUse kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly; careful App Groups; minimize iCloud backup; strong ATS/TLS

7. Risk Ranking (Optional, but recommended)

What to do:

Label each threat High/Medium/Low based on likelihood and impact.

  • High: likely and/or severe impact β†’ prioritize now
  • Medium: plausible and moderate β†’ schedule soon
  • Low: unlikely or low impact β†’ backlog/accept with rationale

Example:

  • High: Credential theft, insecure storage, MITM, data leakage
  • Medium: DoS via login brute force, excessive sync, notification spam
  • Low: Repudiation of sent messages, log tampering

Perfect πŸš€ β€” here’s a ready-to-use Markdown template file your team can copy for any new feature or flow in Thunderbird Mobile. It includes placeholders for each section, an empty system diagram stub, and separate Threats and Mitigations tables.

πŸ“– Threat Modeling Template

Use this template when modeling a new feature or flow.

Title

1. Project Overview

  • Project Name:
  • Description:
  • Key Features:

2. Scope

  • Scope for this session

3. System Diagram

mermaid
flowchart LR
  USER[User] --> APP[Thunderbird App]
  ATTACKER[Attacker] -.-> APP

  subgraph Device
    APP --> COMPONENT1[Component 1]
    APP --> COMPONENT2[Component 2]
  end

  subgraph External
    SERVICE1[(External Service 1)]
    SERVICE2[(External Service 2)]
  end

  APP --> SERVICE1
  APP --> SERVICE2

4. Assets

  • Data:
  • Functionality:
  • Reputation:
  • Availability:

5. Threats

Component / FlowSpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
Example Flow A
Example Flow B
Example Flow C

6. Mitigations

Threat IdentifiedProposed Mitigation
Threat 1Mitigation 1
Threat 2Mitigation 2
Threat 3Mitigation 3

7. Risk Ranking

  • High: Likely and/or severe β†’ prioritize now.
  • Medium: Plausible and moderate β†’ schedule soon.
  • Low: Unlikely or low impact β†’ backlog or accept with rationale.

πŸ›‘οΈ Example 1: Account Authentication

1. Project Overview

  • Project Name: Thunderbird for Android/iOS – Account Authentication
  • Description: Handling account setup, login, and credential storage for IMAP/SMTP or OAuth2 providers.
  • Key Features: Password auth, OAuth2 flows (Google/Microsoft), token storage, secure connections.

2. Scope

  • Account authentication and credential storage.

3. System Diagram

mermaid
flowchart LR
  USER[User] --> APP[Thunderbird App]
  ATTACKER[Attacker] -.-> APP

  subgraph Device
    APP --> STORAGE[Local Storage: DB/Files]
    APP --> KEYSTORE[Keystore/Secure Enclave]
    APP --> OAUTH_FLOW[OAuth Flow via Browser]
  end

  subgraph External
    OAUTH_PROVIDER[(OAuth Provider)]
    MAIL[(IMAP/POP3 Servers)]
    SMTP[(SMTP Servers)]
  end

  OAUTH_FLOW --> OAUTH_PROVIDER --> APP
  APP --> MAIL
  APP --> SMTP

4. Assets

  • Data: User credentials, OAuth tokens, session cookies.
  • Functionality: Secure login, ability to sync and send mail.
  • Reputation: Privacy-first branding.
  • Availability: Reliable authentication, minimal lockouts.

5. Threats

Component / FlowSpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
OAuth2 LoginFake OAuth page via phishingRedirect URI manipulationUser denies consentTokens leaked in logs/URLsProvider rate limitsExcessive scopes
Password AuthMITM server spoofModify TLS sessionUser denies failed loginCredentials in memory/backupsBrute-force lockoutsUse of admin roles
IMAP/SMTP TLSSpoofed certificatesDowngrade attackβ€”Metadata leakageConnection exhaustionProtocol quirks abused
Local StorageMalicious app pretends to be ThunderbirdDB/file tamperingUser denies local actionBackups/cache leaksStorage exhaustionSandbox escape
KeystoreFake app tries to access aliasMisuse of keyβ€”Key extraction on rooted devicesKeystore unavailableHardware bypass

6. Mitigations

Threat IdentifiedProposed Mitigation
Fake OAuth loginSystem browser (Custom Tabs/ASWebAuthSession); claimed HTTPS redirect URIs; PKCE; validate state/nonce
Redirect tamperingStrict URI validation; reject mismatches
Excessive scopesScope minimization; permission reviews
MITM on password loginTLS 1.2+ (prefer 1.3); strict hostname verification; pin known providers
Credential leakageKeystore/Keychain storage; redact logs; disable backups; zeroize memory; protect screenshots
TLS downgradePrefer implicit TLS; reject weak suites; enforce hostname checks
DB tamperingEncrypt per-account DB; integrity seals
Backup/cache leaksInternal storage only; opt-out backups; FileProvider URIs
Keystore misuseUse StrongBox/TEE; require user auth for sensitive ops; handle key invalidation

7. Risk Ranking

  • High: Credential theft, token leakage, MITM, TLS downgrade.
  • Medium: Brute-force lockouts, storage exhaustion.
  • Low: Repudiation of login attempts.

πŸ”” Example 2: Push Notifications

1. Project Overview

  • Project Name: Thunderbird for Android/iOS – Push Notifications
  • Description: Handling push notifications via FCM (Android) or APNs (iOS) to wake the app for secure fetch.
  • Key Features: Receive push, show notifications, fetch mail securely.

2. Scope

  • Push notification handling (end-to-end from server push to user notification).

3. System Diagram

mermaid
flowchart TB
  USER[User] --> APP[Thunderbird App]
  ATTACKER[Attacker] -.-> APP

  subgraph Device
    APP --> NOTIF_HANDLER[Notification Handler]
    NOTIF_HANDLER --> FETCHER[Secure Fetcher]
    FETCHER --> DB[(Encrypted Local DB)]
  end

  subgraph External
    FCM[(FCM - Android)]
    APNS[(APNs - iOS)]
    MAIL[(Mail Server IMAP/SMTP)]
  end

  FCM --> NOTIF_HANDLER
  APNS --> NOTIF_HANDLER
  NOTIF_HANDLER -->|TLS fetch| MAIL

4. Assets

  • Data: Notification payloads, message IDs, device tokens.
  • Functionality: Timely, trustworthy notifications.
  • Reputation: No privacy leaks in lock-screen banners.
  • Availability: Notifications work without spam or battery drain.

5. Threats

Component / FlowSpoofingTamperingRepudiationInformation DisclosureDoSElevation of Privilege
Push Channel (FCM/APNs)Fake/local notificationPayload alteredUser disputes receiptPayload leaks sender/subjectNotification floodMalicious PendingIntent abuse
Post-Push FetchMITM fetch requestInject mailbox updatesβ€”Token leakage in logsRetry stormsFetcher over-privileged
Notification UIβ€”Modify notification actionβ€”Lockscreen preview leaksNotification spam wakes devicePrivileged screen opened

6. Mitigations

Threat IdentifiedProposed Mitigation
Fake/local notificationOnly accept OS push channels; verify channel IDs
Payload tamperingOpaque IDs in payloads; fetch details securely
Metadata leakageRedact payloads; fetch details after wake; redact lock-screen previews by default
Notification spamRate limits; quotas; quiet hours; batching
PendingIntent abuseUse FLAG_IMMUTABLE; explicit component targets
MITM fetchTLS 1.3; strict cert validation; pinning
Token leakage in logsRedact tokens/headers; structured logging
Notification action abuseRequire unlock/biometric for sensitive actions

7. Risk Ranking

  • High: Metadata leaks in push payloads, MITM on fetch, PendingIntent abuse.
  • Medium: Notification spam floods, retry storms.
  • Low: Repudiation of notification receipt.