10 Security and Content Protection Considerations
26.1423GPPDynamic and Interactive Multimedia Scenes (DIMS)Release 17TS
DIMS does not define a security framework. DIMS relies instead on the security frameworks already defined for the mechanisms DIMS uses (e.g. for ECMAScript Mobile Profile [2]), and the frameworks provided by the platforms on which DIMS runs.
When content requests fullscreen video and especially fullscreen scenes, it is possible for the content to mimic the normal look of the device (the ‘desktop’ of a computer screen, for example) and persuade the user to enter potentially secure or private information into a presentation while thinking that they are interacting with the local system. This is sometimes called "phishing". Care should be taken to handle content that uses fullscreen requests, such that the user is always aware of when DIMS content is filling the screen (e.g. restrict DIMS to "window-only" mode, or in some other way make it clear to the user that the screen’s content is rendered under DIMS control).
DIMS content can embed scripts. Care should be taken to limit, to the presentation in which they occur, the access that these scripts have. For example, it would normally be inappropriate for these scripts to have access to the local file system outside the scope of presentation. A further possible countermeasure would be to restrict DIMS reception to certified servers only, and to signed contents only, without any means for the user to disable this strict checking in order to mitigate social engineering attacks.
Authors of web-sites that embed DIMS content, when the scripts in the DIMS content are not under the control of the web site – for example, if the DIMS content is fetched from another site, or uploaded to the web-site by users — should exercise caution. The embedded scripts may have access to the content of, and interaction of, the web site that embeds them, even though they were not authored by, or provided from, that web site.
Finally, it is recommended a secure client software update service be provided, so that it is possible to close security holes in the DIMS clients when they are detected