Open Bug 1034411 Opened 10 years ago Updated 2 years ago

Lock down WiFi debugging to only external interface

Categories

(DevTools :: about:debugging, defect, P3)

Product:
DevTools
Component:
about:debugging
Type:
defect

Tracking

(Not tracked)

People

(Reporter: jryans, Unassigned)

References

(Blocks 2 open bugs)

Details

Attachments

(1 obsolete file) 

To prevent apps from connecting to the debug server, we should lock down the WiFi debug socket to only allow connections over the WiFi interface and block any from local / lo0.
Oops, wrong bug.
Assignee: jryans → nobody
Status: ASSIGNED → NEW
Attachment #8452561 - Attachment is obsolete: true
Attachment #8452561 - Flags: review?(paul)
Component: Developer Tools: WebIDE → Developer Tools: about:debugging
About:debugging bug triage. Filter on TRIAGE-JD201705

Temporarily setting P3 to bugs migrated from webide to cleanup the triage for about:debugging.
Priority: -- → P3
Considering the current thread about wifi authentication protocol and potential vulnerabilities for the debugger (ie the client), I am not sure about this bug. What are the apps mentioned here in the summary? ffos apps or applications/processes other than Firefox?
Flags: needinfo?(jryans)
This bug is about adding some mechanism to restrict the WiFi debugging socket opened on the server side (Android phones, etc.) so that it only listens on the WiFi network interface.

When this bug was filed, we mainly had Firefox OS in mind.  We were worried that random apps on the phone might have the ability to connect to the server socket over the local interface, which would imply breaking any sense of per-app isolation on the device, since an evil app could then steal any data on the phone.

It appears that a similar concern may still apply with Firefox for Android.  "Some applications use localhost network ports for handling sensitive IPC. You should not use this approach because these interfaces are accessible by other applications on the device."[1]  My knowledge of Android sandboxing is limited, but this guidance suggests to me that the current WiFi debugging socket setup may allow a malicious attacking Android app to connect to the server socket over a local interface.

However, such malicious apps would still trigger authentication prompts and such, so it's not as if they would silently get access to data.  For an informed user, they would most likely only be an annoyance that they would then block using the connection prompt in Firefox for Android.  So I would say the overall risk here is low.

This bug then is mostly about defense in depth: since there's no functional need to allow access over the local interface for WiFi debugging, we should block it.

To achieve the desired goal here, we would need to:

1. Add some way to restrict a server socket opened via `initSpecialConnection`[2] to only listen on the WiFi interface
  * Currently there is a "local interface only" mode, but here we want sort of the opposite as "WiFi interface only"
2. The steps to open the server socket for WiFi on phones[3] should use this new mode
  * Looks like WiFi debugging isn't listed currently in the GeckoView version[4] (maybe since it currently requires QR code reader)

[1]: https://developer.android.com/training/articles/security-tips#Networking
[2]: https://searchfox.org/mozilla-central/rev/8affe6e83188787eb61fe0528eeb6eef6081ba06/devtools/shared/security/socket.js#438
[3]: https://searchfox.org/mozilla-central/rev/8affe6e83188787eb61fe0528eeb6eef6081ba06/mobile/android/chrome/content/RemoteDebugger.js#342
[4]: https://searchfox.org/mozilla-central/source/mobile/android/modules/geckoview/GeckoViewRemoteDebugger.jsm
Flags: needinfo?(jryans)
Product: Firefox → DevTools
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: