Closed Bug 1449225 Opened 6 years ago Closed 2 years ago

Focus leaks history via cache entries unless manually erased by the user

Categories

(Focus :: General, defect)

Product:
Focus
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox107 unaffected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox107 --- unaffected

People

(Reporter: modi.konark, Unassigned)

Details

(Keywords: csectype-disclosure, privacy, sec-want)

Attachments

(1 file)

history-on-disk.png
214.28 KB, image/png
Details
Attached image history-on-disk.png 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20100101

Steps to reproduce:

1. Download Firefox Focus for Android (4.1 - Build #20811502).
2. Open tab and visit multiple websites, Google queries
    a. Google
    b. http://yatra.com
    c. search for flights. etc etc.
3. Restart browser


Actual results:

All the urls and queries done were persisted on disk.
If you inspect the folder on device:
`cache/org.chromium.android_webview/` it does not get clear on browser restart.

It contains all the headers, third-parties loaded on that page and complete URL of the pages visited.


Expected results:

Because Firefox Focus is private browsing always, the expectation is none of the urls/domains visited during a session should be persisted after browser restart.

But in this case they are persisted until the Caches are purged. (Not sure when that happens).

Also, I am not sure if there is any option on the UI to force clean all the history, apart from restarting the browser.
Component: General → Security: Android
Product: Firefox for Android → Focus
Version: unspecified → ---
Is there a document describing the privacy guarantees or model used by Focus? If not people will just assume it's identical to Firefox.
Flags: needinfo?(sdaswani)
About all I could find was https://www.mozilla.org/en-US/firefox/mobile/#focus-privacy

The sub-head text supports Konark's expectation: "your browsing history is wiped after every session."

Two sentences later it says "One tap erases your cookies and browsing history." Is that in addition to wiping it after every session, or a contradiction?

On the other hand perhaps the "cache" is not considered part of browser history? That would be extremely surprising to users. Cache is not saved in Private Browsing on Firefox Desktop, and our introductory blog post says "Focus is designed for the times when you don’t want to leave a record on your phone." Cache files are definitely "a record".

https://blog.mozilla.org/blog/2016/11/17/introducing-firefox-focus-a-free-fast-and-easy-to-use-private-browser-for-ios/
Flags: sec-bounty?
Keywords: privacy
See https://github.com/mozilla-mobile/focus-android/issues/1600 for previous examples and https://github.com/mozilla-mobile/focus-android/issues/1569 about trying to clearly document the behavior.

The difficult to control Android WebView lifecycle is a driver in the Klar GeckoView work https://github.com/mozilla-mobile/focus-android/labels/Klar%2BGeckoview
Dan I think Kevin has provided all of the materials I know of documenting the privacy guarantees.

I wonder what STR Step 3 is, i.e., what does 'restart browser' mean? If the forced restart didn't allow our code to run that wipes the session data, not sure what we can do. That is, I'm not sure we ever make this assertion: "Because Firefox Focus is private browsing always, the expectation is none of the urls/domains visited during a session should be persisted after browser restart."
Flags: needinfo?(sdaswani)
@sdaswani :

Restart browser meant, closing the app and opening the app again( operating under the assumption - that is also treated as end of session). 

Based on the discussions above, I tested it again and here are my observations:

1. Open Firefox Focus (Android)
2. Visit few websites.

  At this point if the user DOES NOT "Erase" or closes the app there are lot of different locations on disk which have a footprint of the websites one has visited. Like:
    a. app_webview/Cookies
    b. app_webview/QuotaManager
    c. app_webview/Service Worker/
    d. ... etc. 

  Which I guess is expected. Please not the same behavior is observed if Focus is open and phone is restarted which could happen for reasons like Battery discharged, manually switching it off.

3. User DOES NOT "Erase" but closes the app (Clicking x on the app).

  At this point all the other locations are cleaned except: `cache/org.chromium.android_webview/`.

Following are my concerns:

1. As a user they only way to Guarantee "your browsing history is wiped after every session." is that the user MANUALLY removes the history by hitting "ERASE" button. In case user is closing the app, it's not cleaned and this is a point of concern to me.

2. If the app is open in the background, I am not sure if after N minutes / hours the session ends and everything is wiped automatically.

3. Is there some other way Focus detects session end and starts with cleanup process except closing the app?
Konark I checked with some engineers and I confirmed that a ‘Erase’ is the only way to guarantee that the session is cleaned. A browser foreground/background or force close is not guaranteed to wipe the session. So the behavior you are seeing is intended. So to address your concerns:

1. No - erase is required, and this is intended.
2. No, but we do have a foreground notification reminding the user that their session is still alive.
3. No, in fact they have to manually erase their session. It’s difficult to try to guess based on time when the user would be ok with us automatically erasing their session.
It looks like these are mostly already known or documented (in github issues) limitations. It does seem that we try to clean up the webkit cruft when we have a clean shutdown and so files remaining in cache/org.chromium.android_webview/ could be new information and worth fixing.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-low
Flags: sec-bounty? → sec-bounty-
Keywords: sec-lowcsectype-disclosure, sec-want
Summary: Firefox Focus for Android leaks history on disk → Firefox Focus for Android leaks history via cache entries unless manually erased by the user
Group: firefox-core-security
OS: Unspecified → Android
Component: Security: Android → General

QA, can you please retest this bug in the latest version of Focus? This bug was reported five years ago. At that time, Focus was using Android WebView, not GeckoView. Is it still a problem?

To be able to browse files in Android's /data/data directory, you will need to test this bug using an emulator or a rooted device.

Severity: normal → S3
status-firefox107: --- → ?
Flags: qe-verify+
Summary: Firefox Focus for Android leaks history via cache entries unless manually erased by the user → Focus leaks history via cache entries unless manually erased by the user

I forgot to mention during triage that these caches are also from chromium which is probably when Focus was WebView-based and therefore should no longer be there in today's app which is GeckoView-based.

We were not able to find any files in cache containing details of the browsing history.
We've tested on the latest Focus Nightly 109.0a1 with a Google Pixel emulator.

Flags: qe-verify+

.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: