Closed Bug 1489946 Opened 6 years ago Closed 3 years ago

Firefox for Android App allow attackers to modify apps without affecting their signature.

Categories

(Firefox Build System :: Android Studio and Gradle Integration, defect, P1)

Product:
Firefox Build System
Component:
Android Studio and Gradle Integration
Type:
defect

Tracking

(firefox65 wontfix, firefox66 wontfix, firefox67 wontfix, firefox68 wontfix, firefox69 wontfix, firefox70- wontfix, firefox71- wontfix, firefox72 wontfix)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 - wontfix
firefox71 - wontfix
firefox72 --- wontfix

People

(Reporter: Bean3ai, Unassigned)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate)

Attachments

(3 files, 2 obsolete files)

firefox62.jpg
223.49 KB, image/jpeg
Details
v1.jpg
39.99 KB, image/jpeg
Details
Switch non-release Fenix to apk2 in autograph prod config
479 bytes, patch
u581815
: review+
Details | Diff | Splinter Review
Attached image firefox62.jpg
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Steps to reproduce: Checking the Firefox for Android App`s signature information, I notice that it is using signature scheme version 1. App`s signature information screenshots attached. Actual results: It is a serious vulnerability that could allow attackers to modify installed apps without affecting their signature. This vulnerability (designated as CVE-2017-13156, and also called the Janus vulnerability) affects versions of Android from 5.1.1 to 8.0 Expected results: For compatibility reasons, developer could use a mixed signature (version 1 and 2) scheme.
Attached image v1.jpg (obsolete) —
Attached image v1.jpg (obsolete) —
Attached image v1.jpg
Attachment #9007685 - Attachment is obsolete: true
Attachment #9007686 - Attachment is obsolete: true
Good write up of the issue. The CVE database links don't do a good job of describing the vuln. https://blog.trendmicro.com/trendlabs-security-intelligence/janus-android-app-signature-bypass-allows-attackers-modify-legitimate-apps/
Flags: needinfo?(sdaswani)
Will wait for a sec-rating from the security team before prioritizing this work.
Flags: needinfo?(sdaswani)
This and bug 1489950 are essentially dupes -- I'm fairly sure we use the same build/signing infrastructure. But we can create a build/tooling bug and make both depend on it.
Keywords: csectype-priv-escalation, sec-moderate
Group: firefox-core-security → mobile-core-security

:catlee, might this be for your team as well as the Focus issue?

status-firefox67: affectedwontfix
status-firefox68: --- → fix-optional
status-firefox69: --- → affected
status-firefox70: --- → affected
Flags: needinfo?(catlee)
Priority: -- → P1

I'm pretty sure that this is a dupe of bug 1489950

Flags: needinfo?(catlee)
Product: Firefox for Android → Firefox Build System
Version: Firefox 62 → 62 Branch

Nick, can you help find an owner for this issue for Firefox 70?

Flags: needinfo?(nalexander)

oops, just realized this is more likely for :ulfr.

Flags: needinfo?(nalexander) → needinfo?(jvehent)

APKv2 support in autograph is planned for q3 2019.
https://github.com/mozilla-services/autograph/issues/64

Flags: needinfo?(jvehent)

I'd still love to get this into 70 if you have time for it in the next couple of weeks. We're heading into beta 8 (of 14) now.

Flags: needinfo?(jvehent)

Unfortunately, apk2 support slipped train-4. We will try to ship it with train-5 in 3 weeks, and it will be another couple weeks before we're comfortable signing fennec/fenix with it.

Flags: needinfo?(jvehent)

Ok, I'll mark this wontfix for 70 then. Thanks!

status-firefox70: affectedfix-optional
status-firefox71: --- → affected
tracking-firefox71: --- → +

Julien, is that something we should still track for 71? Thanks

Flags: needinfo?(jvehent)

Yes. APK2 is available in Autograph, and we can start moving applications to it.
We can start using it on Fenix Nightly for a train cycle (3 weeks) and move the rest in the next train.

Blocks: 1589166
Flags: needinfo?(jvehent)
Assignee: nobody → jvehent
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9104611 - Flags: review?(gguthe)
Attachment #9104611 - Flags: review?(gguthe) → review+

As of yesterday, Fenix Nightly has been switched to APK2. Please QA.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:jvehent, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jvehent)

The patch landed in a private config repo that I don't think autonag has access to.

Flags: needinfo?(jvehent)

The status of this bug is a bit unclear but https://github.com/mozilla-services/autograph/issues/64 is closed and 71 is now behind us, so I am marking it as wontfix for our past releases. Julien is there something needed in this bug for 72/73

status-firefox70: fix-optionalwontfix
status-firefox71: affectedwontfix
status-firefox72: --- → ?
tracking-firefox70: +-
tracking-firefox71: +-
Flags: needinfo?(jvehent)

We're holding off on moving other releases to APK2 until January (end of year freeze), but at this point it's just a config change in the signing server to move the remaining applications to APK2. Nothing else is needed.

Flags: needinfo?(jvehent)
Depends on: 1601680

Greg, Aki, is that still a thing?

Flags: needinfo?(gguthe)
Flags: needinfo?(aki)
Assignee: jvehent → nobody
Status: ASSIGNED → NEW
Version: 62 Branch → unspecified

(In reply to Sylvestre Ledru [:Sylvestre] from comment #24)

Greg, Aki, is that still a thing?

Nope, we migrated all apk signers to issue v2 signatures in autograph a couple years ago.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(gguthe)
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
status-firefox72: ?wontfix
Flags: needinfo?(aki)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: