bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.
Created attachment 8786256 [details] Untitled.png User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Firefox for Android Steps to reproduce: Files contains hardcoded sensitive information. I did a reverse engineering for apk file of Mozilla and found the following information in the java file. public static final String MOZ_MOZILLA_API_KEY = "3b4d27dd-703d-4094-8398-4de2c763505a"; Actual results: If this is an actual key file which used for any type of encryption, it shouldn't be present in the code. Expected results: No hard-coded sensitive information in the apk file as it is easily reversible.
Moving to the component that added the code.
Component: Untriaged → Geolocation
Product: Firefox → Android Background Services
See Also: → bug 1038843
Version: 48 Branch → Firefox 48
Yeah, this isn't an issue, to the best of my knowledge. I'll get Hanno to weigh in, however. Hanno, can you verify that leaking the API key is not an issue?
This is indeed no real secret, but more like an extended user agent header. It just happens to be named API key, which is misleading. It's purpose is to allow us to attribute traffic to the Mozilla Location Service to different applications, flavors of applications (like Play Store release vs. developer build) and sometimes parts of the application (e.g. MLS stumbling vs. geolocation usage vs. snippets service).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.