Closed Bug 658691 Opened 13 years ago Closed 13 years ago

remove android:debuggable="true" from AndroidManifest.xml

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox6 fixed, status1.9.2 unaffected, status1.9.1 unaffected, fennec6+)

Status:
RESOLVED FIXED
Milestone:
Firefox 7
Tracking Flags:
Tracking Status
firefox6 --- fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected
fennec 6+ ---

People

(Reporter: Atoll, Assigned: alexp)

References

Details

(Whiteboard: [sg:moderate (local)])

Attachments

(1 file, 2 obsolete files)

Patch v2
2.08 KB, patch
blassey
: review+
johnath
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
Consider removing android:debuggable="true" from AndroidManifest.xml, as otherwise private Firefox application data may be accessible without root access to all other applications.  From bug 592772#c50:

> I was considering the SharedPreferences again, and realized that the "run-as
> org.mozilla.fennec" way to access private data should not actually work in
> normal conditions! It does work for Fennec only because we have parameter
> android:debuggable="true" in the AndroidManifest.xml. If an app is not
> debuggable, its private data is not be accessible from the outside without
> root.

Flagging as a security issue since this puts us at risk of exposing private user data on non-rooted phones, if we shipped beta/final releases with this flag set.
cc alexp@ since he discovered this issue
Attached patch Patch (obsolete) — Splinter Review 
Set debuggable attribute to false.
Assignee: nobody → alexp
Status: NEW → ASSIGNED
Attachment #534148 - Flags: review?(blassey.bugs)
Blocks: 592772
Whiteboard: [sg:high (local)]
Attachment #534148 - Flags: review?(blassey.bugs) → review+
stealing review.  we should do this.
i would really like to see this fixed asap also, fwiw.
What release of Fennec is the r+ patch above scheduled to ship in?
the motivation behind wanting this fixed is stated in comment 50 of bug 592772 - " If an app is not debuggable, its private data is not be accessible from the outside without root. ".

also there's a much MUCH lower risk threat of someone not expecting the browser to be debuggable and not taking the proper precautions with connecting to usb and opting in to usb debugging - i mention it for completeness' sake :)
tracking-fennec: --- → 6+
tracking-firefox5: ? → ---
tracking-firefox6: ? → ---
Keywords: checkin-needed
Attachment #534148 - Flags: approval-mozilla-aurora?
Comment on attachment 534148 [details] [diff] [review]
Patch

Fennec only
Attachment #534148 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attached patch Patch (obsolete) — Splinter Review 
Only updated commit message. Ready to be pushed.
r=dougt, a=mfinkle
Attachment #534148 - Attachment is obsolete: true
Attachment #539918 - Flags: review+
we should also perhaps consider documenting somewhere that fennec developers are going to want to manually turn this back on when actively developing fennec
Comment on attachment 539918 [details] [diff] [review]
Patch

please don't break all developers. This needs to at least be set to true for unofficial builds.
Attachment #539918 - Flags: review+ → review-
(In reply to comment #10)
> please don't break all developers. This needs to at least be set to true for
> unofficial builds.

It's possible, but I think it's not really such a big deal. It is so easy to enable debugging locally, we should just add this info to the debugging instructions on the Wiki (which the developers have to read anyway as it's impossible to debug without knowing some of those important bits). It does require rebuilding (repackaging) though.

What kind of scenario are you thinking about when this would cause a problem for developers? Do you mean some case when a binary installation is used and access to the files is needed?
Keywords: checkin-needed
Developers should be debugging all the time. Requiring them to make a code change in order to do it is overly onerous since it would have to be reverted before every update of your tree and reapplied after.
makes sense.
Then let's add something to the mozconfig. Developers can set it in theirs, but not in the other builds. I don't want branding to be used as the flag.
can we key off whether it's a debug build ? (i assume we're not shipping debug binaries via the android market, but it's an assumption :) )

ie. for a debug build (ac_add_options --enable-debug), debuggable will be true, for a build without this, it will be false 

we have a AndroidManifest.xml.in so i'm also assuming this is something configure can handle for us
Attached patch Patch v2Splinter Review 
Keep debuggable flag for the unofficial build.
Attachment #539918 - Attachment is obsolete: true
Attachment #540102 - Flags: review?(blassey.bugs)
Attachment #540102 - Flags: review?(blassey.bugs) → review+
Keywords: checkin-needed
Keywords: checkin-needed
Target Milestone: --- → Firefox 7
http://hg.mozilla.org/mozilla-central/rev/05a1cae42a22
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Attachment #540102 - Flags: approval-mozilla-aurora?
Attachment #540102 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Whiteboard: [sg:high (local)] → [sg:moderate (local)]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: