1431329 - Omit Fennec Media playback Notification when viewed in private browsing mode

Status: VERIFIED FIXED

(Firefox for Android Graveyard :: General, enhancement, P1)

Description

[Frederik Braun [:freddy]]

Showing a notification containing stuff in private browsing mode makes it leak into the operating system. Custom android launcher as well as other software providing a backlog of notifications would allow unearthing parts of private browsing sessions.

Background is an article about this happening for Chrome, but it's true for Fennec as well:
https://www.androidpit.com/chrome-incognito-mode-not-as-private-as-you-think 

Focus is not affected, as it does not show any content-related notifications.

Rating this as sec-low, as it requires a local attacker. It's common and easily done to protect a phone from unauthorized physical access.

Comment 1

[Kevin Brosnan [Ex-Mozilla]]

Does this need to be behind a sec flag? Visibility might make this easier to fix.

Comment 2

[Frederik Braun [:freddy]]

You're right. This is public information.

Comment 3

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

[triage] Potentially critical - leaking private browsing information to the OS through notifications, which gets stored in a notification log on the device that users can access.

Susheel, what do you think? fwiw, I recommend reading the article for full details on impact.

Comment 4

[:sdaswani]

Up to Andreas.

Comment 5

[Andreas Bovens [:abovens]]

Sorry for the delayed reply.

This is probably something we should target for an upcoming release. 61, 62?

Comment 6

[Andrei Lazar]

Attachment: Bug 1431329 - If the tab in which the media player is running is in private browsing mode then we shall not display media playback notification.

Review commit: https://reviewboard.mozilla.org/r/236018/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/236018/

Comment 7

[Michael Comella (:mcomella) [NI reported issues only: ex-Mozilla]]

Comment on attachment 8967315 [details]
Bug 1431329 - If the tab in which the media player is running is in private browsing mode then we shall not display media playback notification.

https://reviewboard.mozilla.org/r/236018/#review241950

This appears to do the trick: `updateNotification` is only called from `onStateChanged` so if we return on private tabs before `updateNotification` is called, we'll never display a notification in private browsing mode.

Note that there's dead code in `updateNotification`: https://searchfox.org/mozilla-central/rev/4114ad2cfcbc511705c7865a4a34741812f9a2a9/mobile/android/base/java/org/mozilla/gecko/media/MediaControlService.java#370 And I probably would also throw in an assertion in `updateNotification` to ensure we're never getting a private tab. However, I don't think it's worth anyone's time to implement, re-review, etc. :)

We're also logcatting that the media player is running https://searchfox.org/mozilla-central/rev/4114ad2cfcbc511705c7865a4a34741812f9a2a9/mobile/android/base/java/org/mozilla/gecko/media/MediaControlService.java#336 but we're not including URLs and logcat is mostly secure so I'm not too concerned about that.

Comment 8

[Pulsebot]

Pushed by michael.l.comella@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6ea3c1db0060
If the tab in which the media player is running is in private browsing mode then we shall not display media playback notification. r=mcomella

Comment 9

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/6ea3c1db0060

Comment 11

[Levente Sacal]

Verified as fixed in Beta 61.0b15. Have watched a video on youtube and vimeo in private browsing mode and no media playback notification appeared. If any further testing is needed here, please let me know. Thanks