1491627 - FireFox for Android doesn't protect master password screen with FLAG_SECURE

Status: RESOLVED INCOMPLETE

(Firefox for Android Graveyard :: General, defect, P3)

Description

[research]

FLAG_SECURE is normally used to prevent screenshots from being taken. The FireFox browser app for Android does not use this for the settings screen, specifically for the master password.

To reproduce, install the app, go to settings, privacy, master pasword and take a screenshot by pressing Power + Volume down.

To fix, FLAG_SECURE should be applied. More details in my blog post here:
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/

Related issues fixed in Chrome and Android OS:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243

This was originally reported to the Tor project - they suggested I should also let Mozilla know. Tor report # 409693.

Comment 1

[research]

Related to bug # 1314776

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Minusing for the bounty program as sec-low rated issues do not qualify for bounties.

Comment 3

[Diana Rus]

Hi,

The issue has been reproduced.

Environment
Device: Tablet - Google Pixel C, Android(7.0.0)
Build: Firefox Beta (67.0b18) and Firefox Nightly 68.0a1 (2019-05-08)

Regards,
Diana Rus

Comment 4

[BMO Automation]

We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.