1083789 - SMS involves inherent security risks

Status: RESOLVED WONTFIX

(Firefox OS Graveyard :: Gaia, defect)

Description

[Wilfred Mathanaraj [:WDM]]

Impact: SMS is cleartext, to so the location feature involves transmitting the users location in cleartext over the SMS network. 

Fix: Without prior authentication there isn’t much we can do to protect geolocation data

Comment 1

[marta]

True, Sure but thats the risk a user would take in order to localize the phone. 

If we really need to be that protective we can add a warning while turning the feature on. However, I believe that then we should set the same warnings in the SMS app - saying that anyone can intercept your discussions. 

And its not users location that it is transmitted but his phone. So actually apart from the moment when he finally finds it - there is little risk here that I see.

Comment 2

[Wilfred Mathanaraj [:WDM]]

paul/frederik - do you find this is acceptable for us? I think there is a valid logic in Marta's description above.

Comment 3

[Frederik Braun [:freddy]]

It's just a shame that we have a pre-shared password that could be used as a cryptographic key, but can't make any use of it (it would require support in the phone that you are borrowing from a friend to locate your device).

So I guess this is WONTFIX, unless Paul disagrees.

Comment 4

[Wilfred Mathanaraj [:WDM]]

lets get paul's confirmation when he is back on earth in 10 hours in Sydney

Comment 5

[Paul Theriault [:pauljt] (no longer reading bugmail)]

(In reply to marta from comment #1)
> True, Sure but thats the risk a user would take in order to localize the
> phone. 
> 
> If we really need to be that protective we can add a warning while turning
> the feature on. However, I believe that then we should set the same warnings
> in the SMS app - saying that anyone can intercept your discussions. 
> 
> And its not users location that it is transmitted but his phone. So actually
> apart from the moment when he finally finds it - there is little risk here
> that I see.

Maybe warning is a little strong - some explanation on what the difference is between FindMyDevice might be good though? I'll think about it on the plane.

Comment 6

[Paul Theriault [:pauljt] (no longer reading bugmail)]

(In reply to Paul Theriault [:pauljt] from comment #5)
> (In reply to marta from comment #1)
> > True, Sure but thats the risk a user would take in order to localize the
> > phone. 
> > 
> > If we really need to be that protective we can add a warning while turning
> > the feature on. However, I believe that then we should set the same warnings
> > in the SMS app - saying that anyone can intercept your discussions. 
> > 
> > And its not users location that it is transmitted but his phone. So actually
> > apart from the moment when he finally finds it - there is little risk here
> > that I see.
> 
> Maybe warning is a little strong - some explanation on what the difference
> is between FindMyDevice might be good though? I'll think about it on the
> plane.

No revelations I'm afraid - that's about all i can suggest.

Comment 7

[marta]

How would we explain? It has a different name, exactly for that reason - it is Remote Privacy Protection. And also - still I don't see the exact security risk. We assume that the user is detached from his phone, when he requests to locate it

Comment 8

[Paul Theriault [:pauljt] (no longer reading bugmail)]

(In reply to marta from comment #7)
> How would we explain? It has a different name, exactly for that reason - it
> is Remote Privacy Protection. And also - still I don't see the exact
> security risk. We assume that the user is detached from his phone, when he
> requests to locate it

Assuming that it is the user using the feature. The point is, FMD is a more secure solution. Personally its not clear to me why we are implementing a less secure feature, but that aside, should we not at least inform the user about the security trade offs that they are making when choosing to find their phone via SMS  vs finding their phone via FMD ? Maybe we just need a page in the guided tour to explain the two features, and why you might use one over the other?

Comment 9

[marta]

Can we get some kind of conclusion here? I feel like we are not going anywhere, and we would like to proceed with the development. 
Paul, Wilfred please tell us what to do - we are perfectly open to everything but we need a final decision.

Comment 10

[Paul Theriault [:pauljt] (no longer reading bugmail)]

What do you think about what I suggest in comment 7?

To me, the issue is clear: we have two different features, both which perform the same function. One of these features use secure communication channels but requires a Firefox account. The other doesn't need an account, but has security trade offs. If we are going to have both in the product I think we need to at least alert users to the difference, and explain why you would use one over the other, as I said in comment 7.

Maybe this is basically the same bug as 1083789, but that bug has been marked as wontfix.

Comment 11

[marta]

We are having timing problems to add anything into the GT - this requires hiring an illustrator and so on. Will discuss it later with the UI team. Most happily would move it under the PPv2.0 bug that is 1088565. Would that be acceptable?

Comment 12

[Wilfred Mathanaraj [:WDM]]

We did have an extensive review here from the UX team and we involved the FDM UX team to provide feedback - the feature as such I still feel is acceptable, given our agreements, to exist in PP v1.0 in parallel without any further warnings.

We can think of better ways to inform users between the different solutions. Paul could you live with this coming in next revision of Privacy Panel?

Comment 13

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Yeh sure - as with all the of the bugs that I raised (apart from the SMS-costing-money one), they were all intended as feedback to inform the next revision.

Comment 14

[Martin Shuman [:Marty]]

Adding privacy keyword.

Comment 15

[BMO Automation]

Firefox OS is not being worked on