User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Steps to reproduce:
In gecko-dev repo, mobile/android/geckoview/src/main/java/org/mozilla/gecko/mozglue/GeckoLoader.java contain getLibraryBase() function.
Below is current getLibraryBase() function implementation.
"""
private static String getLibraryBase() {
final String mozglue = getLibraryPath("mozglue");
final int lastSlash = mozglue.lastIndexOf('/');
if (lastSlash < 0) {
throw new IllegalStateException("Invalid library path for libmozglue.so: " + mozglue);
}
final String base = mozglue.substring(0, lastSlash);
Log.i(LOGTAG, "Library base=" + base);
return base;
}
"""
getLibraryBase() function invokes when load "libmozglue.so", and if program found proper "libmozglue.so" path, then it log library base path via logcat.
Actual leaked library path is follow:
[GeckoLoader] : Library base=/data/app/~~qkAeVJGOlZ0Apq_PpQdTIg==/org.mozilla.firefox-8PIGPChA_OTpafn560fZwQ==/lib/arm64
Actual results:
Attacker can read encrypted library path and access application installation path.
1. log Info Disclosure
Log Info Disclosure is a type of vulnerability where apps print sensitive data into the device log.
As mentioned in [official privacy-and-security document](https://developer.android.com/privacy-and-security/risks/log-info-disclosure), logging sensitive information to `logcat` is dangerous. Although read other application’s logcat information needs `READ_LOGS` permission which can be granted in privileged system apps, Android supports an incredibly diverse set of devices whose pre-loaded applications sometimes declare the `READ_LOGS` privilege, which can read other application’s logcat information. So, logcat should contains general informations that other apps can acess without any additional permission.
2. File name encryption leak
Android 7.0 and higher supports file-based encryption (FBE) (https://source.android.com/docs/security/features/encryption/file-based). FBE contains not only file content encryption, but also file name encryption. For example in AOSP, they encrypt file names with AES-256 in CBC-CTS mode.
By using file name encryption, android can protect application access other application’s data. More preciesly, even if malware know current device has firefox application, malware cannot access firefox installation path because of file name encryption. Without file name encryption, because all application except system application is stored in /data/app path, and firefox package name is org.mozilla.firefox, malware can guess app installation path and access. But file name encryption like “/data/app/~~qkAeVJGOlZ0Apq_PpQdTIg==/org.mozilla.firefox-8PIGPChA_OTpafn560fZwQ==/”, attacker cannot guess app installation path and cannot access.
Expected results:
1. Set logging level to "DEBUG" mode
Library base path that leaked above function is information that is needed in debugging steps.
But, getLibraryBase() function uses Log.i logging function that logging out even in the release mode.
Best option is generating wrapper logging function to manipulate logging level.
For example, androidx implement wrapper logging function, and set logging level according to current application status.
Second option is use Log.d function instead Log.i function.
Log.d function is optimized when they use ProGuard or R8, so Log.d information doesn't leak in release mode.
Bug 1929478 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Steps to reproduce:
In gecko-dev repo, mobile/android/geckoview/src/main/java/org/mozilla/gecko/mozglue/GeckoLoader.java contain getLibraryBase() function.
Below is current getLibraryBase() function implementation.
```Js
private static String getLibraryBase() {
final String mozglue = getLibraryPath("mozglue");
final int lastSlash = mozglue.lastIndexOf('/');
if (lastSlash < 0) {
throw new IllegalStateException("Invalid library path for libmozglue.so: " + mozglue);
}
final String base = mozglue.substring(0, lastSlash);
Log.i(LOGTAG, "Library base=" + base);
return base;
}
```
getLibraryBase() function invokes when load "libmozglue.so", and if program found proper "libmozglue.so" path, then it log library base path via logcat.
Actual leaked library path is follow:
[GeckoLoader] : Library base=/data/app/~~qkAeVJGOlZ0Apq_PpQdTIg==/org.mozilla.firefox-8PIGPChA_OTpafn560fZwQ==/lib/arm64
Actual results:
Attacker can read encrypted library path and access application installation path.
1. log Info Disclosure
Log Info Disclosure is a type of vulnerability where apps print sensitive data into the device log.
As mentioned in [official privacy-and-security document](https://developer.android.com/privacy-and-security/risks/log-info-disclosure), logging sensitive information to `logcat` is dangerous. Although read other application’s logcat information needs `READ_LOGS` permission which can be granted in privileged system apps, Android supports an incredibly diverse set of devices whose pre-loaded applications sometimes declare the `READ_LOGS` privilege, which can read other application’s logcat information. So, logcat should contains general informations that other apps can acess without any additional permission.
2. File name encryption leak
Android 7.0 and higher supports file-based encryption (FBE) (https://source.android.com/docs/security/features/encryption/file-based). FBE contains not only file content encryption, but also file name encryption. For example in AOSP, they encrypt file names with AES-256 in CBC-CTS mode.
By using file name encryption, android can protect application access other application’s data. More preciesly, even if malware know current device has firefox application, malware cannot access firefox installation path because of file name encryption. Without file name encryption, because all application except system application is stored in /data/app path, and firefox package name is org.mozilla.firefox, malware can guess app installation path and access. But file name encryption like “/data/app/~~qkAeVJGOlZ0Apq_PpQdTIg==/org.mozilla.firefox-8PIGPChA_OTpafn560fZwQ==/”, attacker cannot guess app installation path and cannot access.
Expected results:
1. Set logging level to "DEBUG" mode
Library base path that leaked above function is information that is needed in debugging steps.
But, getLibraryBase() function uses Log.i logging function that logging out even in the release mode.
Best option is generating wrapper logging function to manipulate logging level.
For example, androidx implement wrapper logging function, and set logging level according to current application status.
Second option is use Log.d function instead Log.i function.
Log.d function is optimized when they use ProGuard or R8, so Log.d information doesn't leak in release mode.