1375427 - web sites redirecting users to their apps are bypassing Firefox's attempts to provide consistent security and privacy

Status: RESOLVED INCOMPLETE

(Firefox for Android Graveyard :: General, enhancement, P3)

Description

[daniel]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20170419042421

Steps to reproduce:

Browse to a web site


Actual results:

Web site encouraged me to install an app.  This is a common attempt at a privilege escalation attack these days.  The web site operator wants to get more data about their users than Firefox allows them to receive.  Therefore, they try to coerce the user to install an app, sometimes making the site appear crippled or inaccessible compared to their desktop site.


Expected results:

Firefox could display a warning when:

a) the user views a site that over-emphasizes the use of an app.

b) the user tries to install an app using a link from a web site.

Some of the following strategies could be helpful:

- maintaining a greylist of common sites that overemphasize their app and displaying warnings for these sites

- when the user tries to use the link to install an app (or a link to Google Play), display a privacy warning and give them a choice "Do you want to proceed or would you like to request the desktop version of the site instead?"

For sites that only exist to promote an app, even on the desktop version of the site, a prominent button for the user to install the app is quite acceptable.

For a site that is fully functional on a desktop browser without any app, if the site is obviously crippled on mobile browsers to coerce users to install an app, a security warning appears justified.

Comment 1

[Bogdan Surd, QA [:bsurd, NI]]

Changing component to Web Apps, if anyone feels like this is not the right component please feel free to change it back.

Comment 2

[Wesly Huang (EPM)]

[traige@0712] it's more like a feature but seems not proper to be handled by Firefox Android.

Comment 3

[James Willcox (:snorp) (jwillcox@mozilla.com) (he/him)]

We can do whatever here, but need some product/UX guidance.

Comment 4

[Andreas Bovens [:abovens]]

This seems to be more about apps than about web apps. Not sure it's possible to define sensible behavior here (the approach to show a privacy warning and suggestion to load the desktop site instead only makes sense in a handful of cases, and one can argue it's rather hard to understand). Furthermore, in case a website is malicious, I suppose it would be flagged by our Safe Browsing implementation already.

Comment 5

[Joe Cheng [:jcheng] (please needinfo)]

agree with Andreas. 
"The web site operator wants to get more data about their users than Firefox allows them to receive." this could be true in some cases but not all. Some apps exist for better experience that the Web cannot offer at this moment and any other reasons that we may not have thought about. it will be difficult to decide that for anyone who has both a website and an app. Don't think we are in a position to do so.

Comment 6

[daniel]

Maybe it would be useful to gather some examples of the more disturbing cases where this happens to help make a decision about this.

For example, visiting the Trip Advisor web site with a mobile browser, it only shows the first few words of a hotel or restaurant review and tells the user to install the app (granting permissions) to read more.  In fact, there is no technical reason why those extra permissions are needed to read a restaurant review.  Visiting the same web site from a regular computer/browser or using desktop browsing mode on the mobile, the full reviews are visible.  This particular case is one of the more extreme examples.

The less extreme, but still very annoying example are sites like AirBNB that display a full screen promotion for their app every time you visit their web site, forcing the user to click "no" every time.  This is like spamming and they appear to hope that users will eventually become frustrated and install their app.

What would be a good way to ask other users to submit examples, especially where they behave like Trip Advisor?

Maybe a police-man approach is useful: making an example of a couple of sites like Trip Advisor, flagging them as part of the Safe Browsing initiative until they stop messing around the users.  This might send a message to both web developers and users that this behavior is too aggressive and is effectively an attempt at privilege escalation.

Comment 7

[Wesly Huang (EPM)]

[traige0719] - based on Product's comments above.

Comment 8

[Andreas Bovens [:abovens]]

I agree these app install door slams are annoying, but implementing a particular behavior (like blocking, or bypassing them) is more something for a browser extension, than for the browser itself, IMO.

Rather than taking a police-man approach (as suggested above), I'd rather encourage developers to look into progressive web apps, as they allow for a non-intrusive installation user flow (if so desired), and bring many features we typically consider as "native-only" to the web platform. This work is underway, and the remaining bits (add to home screen) should land soon in Fennec.

Comment 9

[BMO Automation]

We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.