Master Password is no longer enabled, but FxA sticks around, after clearing App Data in Android settings

NEW
Unassigned

Status

()

Firefox for Android
Android Sync
P5
normal
2 years ago
10 days ago

People

(Reporter: Vladimir Jicha, Unassigned)

Tracking

({sec-moderate})

Firefox 45
All
Android
sec-moderate
Points:
---

Firefox Tracking Flags

(fennec-)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160304114936
Firefox for Android

Steps to reproduce:

1) Connect to Firefox Sync on Android phone/tablet
2) Create a global password protection
3) Delete application data
4) Start FF again


Actual results:

Wait a few minutes and you have access to all stored passwords. They will get synchronized through the stored Android Firefox account. This makes the global password protection obsolete.


Expected results:

Firefox should ask for the login e-mail and password to Sync, if application data are deleted.
(Reporter)

Updated

2 years ago
Component: Untriaged → Sync
OS: Unspecified → Android
Hardware: Unspecified → ARM
Version: 46 Branch → 45 Branch
Nick, any thoughts? Are we able to remove sync when the application is removed?
Component: Sync → Android Sync
Flags: needinfo?(nalexander)
Product: Firefox → Android Background Services
Version: 45 Branch → Firefox 45
tracking-fennec: --- → ?
(In reply to Michael Comella (:mcomella) from comment #1)
> Nick, any thoughts? Are we able to remove sync when the application is
> removed?

First, this isn't about the application being removed -- it's about the application data directory being wiped.  Sync, and all traces of your Firefox Account, are deleted when the application is delted.

But this is by design.  I'm open to changing the product design to make different choices, but this doesn't feel like the right choice.  On Android, Accounts and app data are not the same; Accounts can persist things that users can't wipe (without deleting the account).  It makes little sense to clear your local Gmail data and have to log in to Gmail again -- at least, to me.

This interacts with having Fennec on an SDcard, among other things.

Now, I'd like to understand what "global password protection" means.  Vladimir, do you mean you enabled Master Password?  Or something else?  That might help unlock what's going on here.
Flags: needinfo?(nalexander) → needinfo?(vladimir.jicha)
My understanding is master password – if you use master password, you'll be prompted for the master password each time you try to access your passwords. If you delete the application and reinstall Firefox, the master password is no longer present, but the Firefox account will sync your data (and presumably, your plain-text passwords!).

fwiw, one thought on this issue is that if a person has your mobile device and it's unlocked, it's already compromised and we're not responsible for that (e.g. they can access gmail and reset your passwords anyway).
(In reply to Michael Comella (:mcomella) from comment #3)
> My understanding is master password – if you use master password, you'll be
> prompted for the master password each time you try to access your passwords.
> If you delete the application and reinstall Firefox, the master password is
> no longer present, but the Firefox account will sync your data (and
> presumably, your plain-text passwords!).

This is true, but again not the case under discussion: it's about *clearing the App data*, not re-installing the App.

Master Password on Fennec isn't really usable, and Master Password and Sync is a long-running debacle.  (This is a "problem" on Desktop in just the same way.)  We should just remove Master Password from Fennec entirely.
If "global password protection" means master password:

The suggestion to require FxA credentials would actually be an incomplete remedy: a malicious friend could just wipe app data, trigger a sync, and give you your phone back… you'd re-enter your password (it's a fairly routine thing for apps to do), data would come back down… but MP would be disabled!

The only real way to avoid Comment 0 is to do one of two things:

* Remove the FxA when the app data is cleared. This is not Androidy, and it still leaves you without an MP if you just set up FxA again.
* Maintain MP state in the account bundle itself.

One might make a case that Sync should make an effort to preserve MP (in the Account). I don't think that's worthwhile; indeed, I would make the opposite case that Comment 0 describes exactly one process a normal user might try to get their passwords back after forgetting their MP!

So I'm inclined to WONTFIX this. If you really want to keep the app installed but get back to a clean slate, the Android platform insists that you do so by:

* Deleting any accounts associated with the app
* Clearing App Data

_or_

* Uninstalling and reinstalling the app and any other app that uses the same account type.

If you really want to protect the contents of your phone, enable a password lock and disk encryption on the device itself, keep up to date with security releases for your OS and browser, and stop messing around with MP.

Re Comment 3 and Comment 4: yes, if someone has your device, we consider you already compromised. We've proposed removing MP several times because it's so pointless, particularly on Android.
Richard: so we can unhide this bug? Sounds like a known and possibly documented design limitation. We may or may not want to leave the bug open as a discussion about reconsidering our design, but it doesn't sound like unhiding the bug will put people are risk of attacks
Flags: needinfo?(rnewman)
(Reporter)

Comment 7

2 years ago
Sorry for the confusion I made. Of course by "global password protection" I meant "master password".

The fact that you disable MP by just simply wiping Firefox data makes the protection useless. If you won't fix it, it would make sense to remove it because currently users believe they are safe if they set MP but they are not.

My concern is that I have stored password to my bank account in Firefox. I feel it is completely safe on my desktop because any transaction needs to be confirmed by SMS code. But if somebody steals my phone, they can now log in to my bank account and they would receive the SMS on the same phone. This is very dangerous situation.

I thought I am protected by MP against this because thieves can not get my bank account password if they steal my phone. But actually they can do it by simply wiping Firefox data. I feel this needs to be fixed somehow.

Why not ask again for the Sync password if data are wiped?
Flags: needinfo?(vladimir.jicha)
> Why not ask again for the Sync password if data are wiped?

This is a reasonable suggestion.  If other mainstream Android Apps (FB, Gmail, Twitter) do this, I could see following suit.

On the other hand, many people forget their password and will be frustrated to *not* get their data back after they wipe local, forget password, and then reset password -- which wipes remote.
It looks like there isn't anything actionable here right now, according to the comments from Richard and Nick. If this changes or is simply incorrect, please re-nom.
tracking-fennec: ? → -
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Richard: so we can unhide this bug? Sounds like a known and possibly
> documented design limitation. We may or may not want to leave the bug open
> as a discussion about reconsidering our design, but it doesn't sound like
> unhiding the bug will put people are risk of attacks

I'm happy to un-hide this.


(In reply to Vladimir Jicha from comment #7)

> The fact that you disable MP by just simply wiping Firefox data makes the
> protection useless. If you won't fix it, it would make sense to remove it
> because currently users believe they are safe if they set MP but they are
> not.

To be clear: if you wipe data _inside Firefox_, MP sticks around. If you use Android settings to delete app data, it doesn't -- it behaves exactly like you installed Firefox fresh and logged in to the same FxA.

I think most users' understanding of how safe MP makes them is very fuzzy indeed, even on desktop; some users think of it as a PIN lock, others think of it as some kind of totem of strong encryption (it's not!), etc.


> I thought I am protected by MP against this because thieves can not get my
> bank account password if they steal my phone. But actually they can do it by
> simply wiping Firefox data. I feel this needs to be fixed somehow.

They could also do it by setting up a new Sync account (syncing your passwords *up* from the device), or by simply browsing your browser's login manager after you've unlocked MP at some point in the recent past.

If an attacker has your unlocked phone, you have already lost; they can phone your bank, receive the confirmation text message, reset your account passwords by accessing your email account, etc.

Even within Firefox, they could install an add-on that copies your logins database; they can then brute-force it at their leisure. If they're drive-by attacking you, they could install an add-on that copies your logins database and the master password, then return your phone to you.

Conversely, if your phone is locked, then you don't need MP.

 
> Why not ask again for the Sync password if data are wiped?

I'd bet it's 10 or 100-to-1 that a user would want to clear app data themselves, and keep their account, versus an attacker being inconvenienced by this.

But (as Nick notes in Comment 8) re-prompting isn't too big a hassle, so if we do anything, that would be it.
Flags: needinfo?(rnewman)
Hardware: ARM → All
Summary: Global password workaround on Android → Master Password is no longer enabled, but FxA sticks around, after clearing App Data in Android settings
(Reporter)

Comment 11

2 years ago
(In reply to Richard Newman [:rnewman] from comment #10)
> I think most users' understanding of how safe MP makes them is very fuzzy
> indeed, even on desktop; some users think of it as a PIN lock, others think
> of it as some kind of totem of strong encryption (it's not!), etc.
> 
It's not as safe as a PIN. It is as safe as a pin 0000 or 1234. In fact it adds zero safety. Users should be warned about it.
> 
> They could also do it by setting up a new Sync account (syncing your
> passwords *up* from the device), or by simply browsing your browser's login
> manager after you've unlocked MP at some point in the recent past.
> 
If this is possible, I think it is not right. It should not be possible to create another Sync account if FF is already connected with existing one.

> If an attacker has your unlocked phone, you have already lost; they can
> phone your bank, receive the confirmation text message, reset your account
> passwords by accessing your email account, etc.
>
Of course. They could steal my accounts and online identity. But not my money.
 
> Even within Firefox, they could install an add-on that copies your logins
> database; they can then brute-force it at their leisure. If they're drive-by
> attacking you, they could install an add-on that copies your logins database
> and the master password, then return your phone to you.
>
That doesn't bother me. I feel important are the first few hours before you notice your phone is lost and you change the important passwords.


If you decide to leave the MP protection useless, it would be nice to add an option not to synchronize passwords for certain sites.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-moderate
Group: firefox-core-security
Priority: -- → P5

Updated

10 days ago
Product: Android Background Services → Firefox for Android
You need to log in before you can comment on or make changes to this bug.