Closed Bug 1153087 Opened 9 years ago Closed 9 years ago

External Android apps can automatically launch from Private Browsing tab, dropping any pretense of privacy

Categories

(Firefox for Android Graveyard :: General, defect)

ARM
Android
defect
Not set
normal

Tracking

(firefox40 affected, fennec+)

RESOLVED DUPLICATE of bug 1173147
Tracking Status
firefox40 --- affected
fennec + ---

People

(Reporter: dholbert, Unassigned)

References

()

Details

(Keywords: privacy)

MOTIVATION: Suppose you want to watch a YouTube video on your Android phone (which is tied to your Google account), and you don't want this to influence Google's suggestions / advertising decisions about you. Obvious solution: watch it in a Firefox "private browsing" tab...

STR:
 1. Open a Private Browsing tab.

 2. Visit https://m.youtube.com

 3. Pick some video. For example: search "justin bieber music video" and pick any result. (Do it! It's ok, it's private browsing. No one will know it's you.)

 4. Tap "Play" on the video that you picked.

ACTUAL RESULTS: Without warning, the YouTube *external app* automagically launches to play the video. It presumably knows who you are (unlike youtube-in-the-private-browsing-tab), so now YouTube/Google can tie this fun video-watching-experience back to your Google identity. Enjoy all your Justin Bieber video suggestions from now on!

EXPECTED RESULTS: Video plays in my Firefox private browsing tab. Or, if it really must launch an external app, it should prompt me before doing so. (since I haven't taken any explicit action to request an external app launch; I just tapped play on a video)
I reproduced this on my OnePlus One Android phone, using current Firefox release (37.0.1) as well as Nightly (40.0a1 2015-04-09).

In general: I'd say we shouldn't launch any 3rd-party app from Private Browsing Mode, unless the user has taken an action that *explicitly* signals an intent to do so.

Examples of actions that do *not* explicitly signal an intention to open a 3rd-party app:
 - tapping a "play" button on an embedded video

Examples of actions that *do* explicitly signal an intention to open a 3rd-party app (and hence are probably OK to proceed with, in Private Browsing Mode):
 - tapping the android-app icon in the URL bar on YouTube
 - tapping on a downloaded file to open it in whatever 3rd-party app is appropriate
 - tapping "OK" on a hypothetical dialog that might pop up from youtube videos when you click play, saying e.g. "hey you just clicked play, and we're going to open up the external YouTube app to proceed with that. Is that cool?"
Keywords: privacy
OS: Linux → Android
Hardware: x86_64 → ARM
Summary: If tap "play" on a YouTube video in Private Browsing mode, the external YouTube app is launched, dropping any pretense of privacy → If tap "play" on a YouTube video in a Private Browsing tab, the external Android YouTube app is launched, dropping any pretense of privacy
Just to have a concrete testcase, here's a sample (non-Bieber-related) video that I've used to reproduce this: https://m.youtube.com/watch?v=0UjpmT5noto

For comparison, Chrome on Android plays this video directly in the browser when you tap "play" -- no surprising 3rd-party app launch. So they don't have this problem -- you can (presumably) watch YouTube videos in Chrome "Incognito" tabs without them affecting YouTube's profile of you.
tracking-fennec: --- → ?
Karen, do we want to do a private browsing push in any upcoming release? If so, we could track that for that release.
Flags: needinfo?(krudnitski)
A good suggestion. I'll add this as a feature and look at tying it up to a privacy theme (likely later this year)
Flags: needinfo?(krudnitski)
Assignee: nobody → ally
tracking-fennec: ? → Nightly+
Assignee: ally → nobody
tracking-fennec: Nightly+ → +
NI-ing Karen here to put this on her radar.

This is essentially the same as bug 1173147. To our users, a link is a link so I think the behavior is the same. Do we still want this prompt in Private Browsing?
Flags: needinfo?(krudnitski)
This may be fixed by bug 1173147.
Blocks: fennec-pb-v2
No longer blocks: fennec-pb-v1
See Also: → 1173147
Yes, I think that should cover it. I'm a little worried that we don't have an alternative to give (ie play the video IN the browser so that the user can still watch it without having to leave PB). Once of the reasons we automatically booted the user to the app was because the mobile web experience was typically much more terrible than the mobile app. But if we have the ability to play the video / thing in the browser, that would be my ideal - give users the choice to still watch the content as intended (so that no one knows you secretly like Bieber)
Flags: needinfo?(krudnitski)
(In reply to Karen Rudnitski [:kar] from comment #7)
> Yes, I think that should cover it. I'm a little worried that we don't have
> an alternative to give (ie play the video IN the browser so that the user
> can still watch it without having to leave PB). 

I think this behaviour in PB will gradually be understood. Also, being in PB, the user has essentially agreed to having different expectations, we just have to rationalize them and explain them effectively I think. (i.e. through the dialog)

> Once of the reasons we
> automatically booted the user to the app was because the mobile web
> experience was typically much more terrible than the mobile app. 

Yeah, we could still do this in Normal mode :)
(In reply to Karen Rudnitski [:kar] from comment #7)
> Yes, I think that should cover it. I'm a little worried that we don't have
> an alternative to give (ie play the video IN the browser so that the user
> can still watch it without having to leave PB). Once of the reasons we
> automatically booted the user to the app was because the mobile web
> experience was typically much more terrible than the mobile app.

I wanted to try out the experience to see if it improved. I removed the Youtube Intent handling in GeckoAppShell.getOpenURIIntentInner [1] but then I was prompted to open the app in Video Player, rather than playing the video directly in the browser, so I think there's some platform wizardry here.

Snorp, how can I re-enable playing Youtube videos in the browser? Can you send a build to antlam?

[1]: https://mxr.mozilla.org/mozilla-central/source/mobile/android/base/GeckoAppShell.java#1275
Flags: needinfo?(snorp)
(In reply to Michael Comella (:mcomella) from comment #9)
> (In reply to Karen Rudnitski [:kar] from comment #7)
> > Yes, I think that should cover it. I'm a little worried that we don't have
> > an alternative to give (ie play the video IN the browser so that the user
> > can still watch it without having to leave PB). Once of the reasons we
> > automatically booted the user to the app was because the mobile web
> > experience was typically much more terrible than the mobile app.
> 
> I wanted to try out the experience to see if it improved. I removed the
> Youtube Intent handling in GeckoAppShell.getOpenURIIntentInner [1] but then
> I was prompted to open the app in Video Player, rather than playing the
> video directly in the browser, so I think there's some platform wizardry
> here.
> 
> Snorp, how can I re-enable playing Youtube videos in the browser? Can you
> send a build to antlam?
> 
> [1]:
> https://mxr.mozilla.org/mozilla-central/source/mobile/android/base/
> GeckoAppShell.java#1275

YouTube is not sending the player for any Firefox Mobile browser, it only sends a thumbnail with a link to open the video with their app. Mind you this is for any video in the YouTube website, not embedded videos.
(In reply to yonezpt from comment #10)
> YouTube is not sending the player for any Firefox Mobile browser, it only
> sends a thumbnail with a link to open the video with their app. Mind you
> this is for any video in the YouTube website, not embedded videos.

Seems correct and already filed: bug 1174784.
We talked about this in the funnel meeting. Let's keep this bug about prompting the user when they are about to launch another app from private browsing, and we can worry about getting Youtube videos to play correctly in another bug (and by "we" I mean snorp :)

Mike, do you want to implement that prompt in this bug? I feel like that's the most important step towards giving the user control of their privacy here.
Flags: needinfo?(snorp) → needinfo?(michael.l.comella)
Summary: If tap "play" on a YouTube video in a Private Browsing tab, the external Android YouTube app is launched, dropping any pretense of privacy → External Android apps can automatically launch from Private Browsing tab, dropping any pretense of privacy
(In reply to :Margaret Leibovic from comment #12)
> Mike, do you want to implement that prompt in this bug? I feel like that's
> the most important step towards giving the user control of their privacy
> here.

That's bug 1173147 – I'm going to dupe it.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(michael.l.comella)
Resolution: --- → DUPLICATE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.