Closed Bug 1099419 Opened 10 years ago Closed 10 years ago

[Lockscreen][Camera] App permission screen stays after locking and unlocking device

Categories

(Firefox OS Graveyard :: Gaia::System::Window Mgmt, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::System::Window Mgmt
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:2.1+, b2g-v2.0 unaffected, b2g-v2.1 verified, b2g-v2.2 verified)

Status:
VERIFIED FIXED
Milestone:
2.2 S4 (23jan)
Project Flags:
blocking-b2g 2.1+
Tracking Flags:
Tracking Status
b2g-v2.0 --- unaffected
b2g-v2.1 --- verified
b2g-v2.2 --- verified

People

(Reporter: ychung, Assigned: gweng)

References

(
URL
)

Details

(Whiteboard: [2.1-exploratory-3])

Attachments

(5 files)

logcat_20141114_Overlay.txt
324.67 KB, text/plain
Details
Patch v2.1
46 bytes, text/x-github-pull-request
alive
: review+
bajaj
: approval-gaia-v2.1+
Details | Review
Patch v2.1 rev2
46 bytes, text/x-github-pull-request
Details | Review
Patch
46 bytes, text/x-github-pull-request
Details | Review
Verify video: verify video.mp4
6.65 MB, video/mp4
Details
Description: When the user locks the screen from App Permission overlay on Camera and unlocks the device, the overlay is still displayed. Repro Steps: 1) Update a Flame device to BuildID: 20141114001204 2) Go to Settings > Screen Lock > enable Lock Screen and Passcode Lock. 3) Restart the device. 4) On the lockscreen, swipe left to the camera icon. 5) When App Permission overlay is displayed, lock the device by pressing power button. 6) Unlock the device. Actual: App Permission overlay is displayed. Expected: Lockscreen is displayed. Environmental Variables: Device: Flame 2.1 (319mb, KK, Shallow Flash) BuildID: 20141114001204 Gaia: af6533781356acc62b0f40c9e040aa5b47d3b709 Gecko: 551326425826 Version: 34.0 (2.1) Firmware: V188-1 User Agent: Mozilla/5.0 (Mobile; rv:34.0) Gecko/34.0 Firefox/34.0 Repro frequency: 100% See attached: logcat, video http://youtu.be/t4u-tqSloIY
This issue also reproduces on Flame 2.2. Result: App Permission overlay does not get dismissed by locking and unlocking the device. Device: Flame 2.2 (319mb, KK, Shallow Flash) BuildID: 20141114040205 Gaia: 1e300eac2e56d98ad51d414766d031db7d33221f Gecko: bbb68df450c2 Version: 36.0a1 (2.2) Firmware Version: v188-1 User Agent: Mozilla/5.0 (Mobile; rv:36.0) Gecko/36.0 Firefox/36.0 ================================================== This issue does NOT reproduce on Flame 2.0. Result: App Permission overlay gets dismissed by locking and unlocking the device. Device: Flame 2.0 (319mb, KK, Shallow Flash) BuildID: 20141114040205 Gaia: 1e300eac2e56d98ad51d414766d031db7d33221f Gecko: bbb68df450c2 Version: 36.0a1 (2.2) Firmware Version: v188-1 User Agent: Mozilla/5.0 (Mobile; rv:36.0) Gecko/36.0 Firefox/36.0
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(dharris)
[Blocking Requested - why for this release]: Nominating this to block 2.1. This is poor user flow. The user should always be able to view the lockscreen and unlock the phone, after waking the screen up.
blocking-b2g: --- → 2.1?
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(dharris)
Keywords: regressionwindow-wanted
QA Contact: pcheng
Unable to obtain a window because for over a month the device wouldn't prompt user for app permission following the STR, and after this behavior the next change is reproducing this bug 1099419. We don't really have a 'working/no repro' state here so a window is not possible.
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(jmitchell)
Keywords: regressionwindow-wanted
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(jmitchell)
QA Contact: pcheng
[Blocking Requested - why for this release]: John, can you help with this one , i tend to block on it as we are compromising user security here. Not sure if you need any UX input (feel free to NI ROB if so)
blocking-b2g: 2.1? → 2.0?
Flags: needinfo?(im)
Oh~~~ We have 3 John in Taipei. You are finding LockScreen/Keyboard John who is not me. He is John Lu.
Flags: needinfo?(im) → needinfo?(jlu)
Hi Greg, I guess it's your call here. Feel free to ping me if you need any assistance :)
Flags: needinfo?(jlu) → needinfo?(gweng)
As Comment 4, NI Rob to make sure the expected result is what UX want. Also, whether the first prompt should be banned, too? I've heard that if in LockScreen with passcode, the dialog should not prompt (which means accept the default setting silently).
Flags: needinfo?(gweng) → needinfo?(rob.a.mcdonald)
Setting blocking flag per comment 4. I believe nominating for 2.0 was an accident here.
blocking-b2g: 2.0? → 2.1+
Whiteboard: [2.1-exploratory-3][systemsfe] → [2.1-exploratory-3]
Fixing ni? flag :)
Flags: needinfo?(rob.a.mcdonald) → needinfo?(rmacdonald)
(In reply to Yeojin Chung [:YeojinC] from comment #0) > Description: > When the user locks the screen from App Permission overlay on Camera and > unlocks the device, the overlay is still displayed. > > Expected: > Lockscreen is displayed. Thanks for catching this one. Definitely a blocking issue as Bhavana pointed out. The lock screen should be displayed. Once the phone is unlocked, the prompt would then be in the foreground. (In reply to Greg Weng [:snowmantw][:gweng][:λ] from comment #7) > As Comment 4, NI Rob to make sure the expected result is what UX want. Also, > whether the first prompt should be banned, too? I've heard that if in > LockScreen with passcode, the dialog should not prompt (which means accept > the default setting silently). Greg - I talked with Tiffanie (Camera UX owner) about this. We propose removing the "Remember my choice" option from the dialog if a passcode is enabled and the user is accessing the camera directly from the lock screen slider. We want to avoid the scenario where someone who is not the owner of the phone inadvertently accepts a permission on behalf of the phone owner. This would apply if the user has not checked the "Remember my choice" previously. If this isn't feasible in the 2.1 timeframe we're open to discussing alternative solutions. I've NI'd Tif on this bug as an FYI. Please flag her and myself (robmac) if you have any questions. Thanks! Rob
Flags: needinfo?(rmacdonald) → needinfo?(tshakespeare)
(In reply to Rob MacDonald [:robmac] from comment #10) > Greg - I talked with Tiffanie (Camera UX owner) about this. We propose > removing the "Remember my choice" option from the dialog if a passcode is > enabled and the user is accessing the camera directly from the lock screen > slider. We want to avoid the scenario where someone who is not the owner of > the phone inadvertently accepts a permission on behalf of the phone owner. > This would apply if the user has not checked the "Remember my choice" > previously. If this isn't feasible in the 2.1 timeframe we're open to > discussing alternative solutions. That would couple the permission dialog with lock state -- I would not say it's not doable but it poses significant risk.
Hi Rob, the UX proposal is risky to do at this point, do you have any other suggestion? thanks.
Flags: needinfo?(rmacdonald)
Hi Tiffanie , can you provide feedback on this one? thank you.
Could we disable the remember check box so it can't be checked?
Flags: needinfo?(tshakespeare)
Hi Tiffanie: That probably isn't a proper change for v2.1 (to remove the checkbox in such case). What we proposed is, on LockScreen to hide the dialog when screen is off (by pressing power button). So the flow would be: 0. Set passcode for LockScreen 1. User locks the device 2. Slide to left to invoke secure camera 3. The secure camera shows 4. The dialog prompts 5. Turn the screen off 6. Turn the screen on: the dialog should disappear --> the change we want to make May you confirm this is what UX want? Or you have any other opinions?
Flags: needinfo?(tshakespeare)
I think the concern with that is an evil doer (since a passcode isn't needed) would be able to flip the "always remember" toggle to always record the location. This is why Rob and I are asking about removing the toggle or disabling it. Is there anything we can do that prevents this security hole?
Flags: needinfo?(tshakespeare)
Clearing Rob's NI - he's out for the next few weeks.
Flags: needinfo?(rmacdonald)
Blocks: 1118172
NI myself for reminding a v2.1 fix.
Flags: needinfo?(gweng)
The v2.2 bug is Bug 1118172
Flags: needinfo?(gweng)
Attached file Patch v2.1
Fixed: I patched it to hide the prompt when screen is off. In my manual test, this works as expected.
Attachment #8544931 - Flags: review?(alive)
Comment on attachment 8544931 [details] [review] Patch v2.1 r+ if change hide to discard. Thanks.
Attachment #8544931 - Flags: review?(alive) → review+
Changed, thanks.
Waiting TBPL for new patch.
Assignee: nobody → gweng
v2.1 https://github.com/mozilla-b2g/gaia/commit/932f8276ef2306d859bd1e6c2548958c7258c685 Please follow the Bug 1118172 if there is any further discussions.
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v2.1: affectedfixed
Resolution: --- → FIXED
Wait... I forgot to submit approval again (sorry). Because this bug is originally a 2.2 bug...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I now back it out.
Comment on attachment 8544931 [details] [review] Patch v2.1 [Approval Request Comment] [Bug caused by] (feature/regressing bug #): Dialog prompt over LockScreen and doesn't dismiss [User impact] if declined: No UX fix [Testing completed]: https://treeherder.mozilla.org/ui/#/jobs?repo=gaia-try&revision=cac7d09d7668 [Risk to taking this patch] (and alternatives if risky):No [String changes made]: No
Attachment #8544931 - Flags: approval-gaia-v2.1?(bbajaj)
The new PR is here: https://github.com/mozilla-b2g/gaia/pull/27223 The same patch. So I don't make another attachment to prevent getting confused.
Attachment #8544931 - Flags: approval-gaia-v2.1?(bbajaj) → approval-gaia-v2.1+
Keywords: verifyme
It failed with a intermittent error. I now re-trigger it and waiting for landing. And I would land a same 2.2 bug to hide the window at the branch, too. Keep NI to remind me.
status-b2g-v2.1: fixedaffected
Flags: needinfo?(gweng)
Attached file Patch v2.1 rev2
The v2.1 patch got approval after I reverted it.
Flags: needinfo?(gweng)
Attached file Patch
For master.
master: https://github.com/mozilla-b2g/gaia/commit/737ef4d7a8494bc6ece4bc3f37b4de977f01333c
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S4 (23jan)
This issue has been verified successfully on Flame2.1&2.2 Verify video:"verify video.mp4". Flame 2.1 Gaia-Rev 1975241ac29f723479e6c60b2bf74ebed54da91a Gecko-Rev https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/0863fe4b75c3 Build-ID 20150112001215 Version 34.0 Device-Name flame FW-Release 4.4.2 FW-Incremental eng.cltbld.20150112.035023 FW-Date Mon Jan 12 03:50:34 EST 2015 Bootloader L1TC000118D0 Flame 2.2 Gaia-Rev 7c5b27cad370db377b18a742d3f3fdb0070e899f Gecko-Rev https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/2c37b89bdd86 Build-ID 20150112153951 Version 37.0a2 Device-Name flame FW-Release 4.4.2 FW-Incremental eng.cltbld.20150112.194842 FW-Date Mon Jan 12 19:48:52 EST 2015 Bootloader L1TC000118D0
Status: RESOLVED → VERIFIED
status-b2g-v2.1: fixedverified
status-b2g-v2.2: fixedverified
Keywords: regression, verifyme
(In reply to Tiffanie Shakespeare from comment #16) > I think the concern with that is an evil doer (since a passcode isn't > needed) would be able to flip the "always remember" toggle to always record > the location. This is why Rob and I are asking about removing the toggle or > disabling it. > > Is there anything we can do that prevents this security hole? I don't like removing the toggle here: - hiding the "remember me" on special occasions is surprising to the user, and violates the standard pattern - actually hiding remember me doesn't do all that much - when you grant permission, the permission is persisted until the device is reset, so even without this the "attack" is still possible - What is the actual "attack" scenario here? An attacker with access to your locked phone can change the permission setting of geolocation from "ask" to "grant". How can the attacker actually benefit from this? They would need to coerce the user into sending them a photo, and we already do things like strip exif location when responding to web activity pick requests in the gallery. To actually improve the current situation, I think the solution is providing better indication to the user when a photo has a location embedded. For example, we could show the geolocation information in the gallery when, when the user clicks on the "information" button. We could even provide a button to "strip location data from photo". What do you think? Shall I raise a seperate bug for this?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: