Parsing of pin from sms doesn't work on branded SMS's

[jorunfa]

Also: Only listening to SMS's sent from Telenor.

Digi for example sends SMSs from +47580000351307 and other BUs might have other sender names

[jorunfa]

This issue is still under discussion.

[jorunfa]

The algorithm for parsing the pin from sms will work as follows:

• When the instructions to read pin from sms is received->
• the SDK will check all sms's received since page load started + a few seconds
• and listen to all sms's until timeout (which currently is about 60 seconds)
• for an sms that contains the words CONNECT and a 4-digit numeric PIN with spaces on each side, for example 1234.

Security concerns

Since it's possible to leave the login pages (the about pages can take you to potentially anywhere), where attackers could potentially abuse the sms privileges to read any SMS matching the template a security measure should be added.

The suggested measure is to only read instructions on pages using https under the telenordigital.com domain.

If the attacker still successfully spoofs or eavesdrop the https webpage then that person will be able to steal the user's pin code, along with other credentials, and thus imitate or steal the user. However, if the attacker is able to do this then that person would be able to potentially steal the user's password, if that is used, without needing the pin anyways.

Relevant: https://en.wikipedia.org/wiki/Transport_Layer_Security#Dealing_with_man-in-the-middle_attacks

[jorunfa]

Tests needed, security

1. When a telenordigital.com web page loads, but isn't using https, potential instructions are ignored.
2. When a https web page loads, but the domain isn't telenordigital.com or a sub domain, potential instructions are ignored.
3. When a https//[*.].telenordigital.com page is loaded instructions are checked for and potentially executed.

Tests needed, pin parsing

1. Handle all of today's already existing template tests, with the new algorithm.
   1. Capture: $pin is your verification code for CONNECT
   2. Your verification code is $pin - Connect by Telenor Digital
   3. Thai and other languages work.
2. Prefixed sms's work: https://goo.gl/hhM2Xw
3. SMS's not containing CONNECT are ignored.
4. SMS's not containing 4-digit numeric PIN with spaces on each side are ignored.
5. SMS's containing 4-digit PIN and CONNECT calls the callback JS function with the found PIN as the argument.