Closed
Bug 798928
Opened 13 years ago
Closed 13 years ago
Unofficial Android builds unnecessarily expose valid usernames on the builder's system
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: wgianopoulos, Unassigned)
Details
In order to differentiate builds by the person creating the build, the unofficial Android builds include the username in the application identifier thus unnecessarily exposing a valid username which is a security concern. This is probably OK for a default, but it should be possible for the security conscious to override the unique identifier added to override the default of username without having to resort to changing the source. There should be some kind of MOZ_ environment variable, which if defined overrides the usage of $USER.
|
Reporter | |
Comment 1•13 years ago
|
||
Tnhis is an issue both in the definition of ANDROID_PACKAGE_NAME and MOZ_APP_DISPLAYNAME
|
|
Reporter | |
Updated•13 years ago
|
Summary: Unofficial Android builds unnecessarily expose valid usernames on the builders system → Unofficial Android builds unnecessarily expose valid usernames on the builder's system
|
|
Reporter | |
Comment 2•13 years ago
|
||
This is why I include this code in my Android builds:
diff --git a/mobile/android/branding/unofficial/configure.sh b/mobile/android/branding/unofficial/configure.sh
--- a/mobile/android/branding/unofficial/configure.sh
+++ b/mobile/android/branding/unofficial/configure.sh
@@ -1,3 +1,3 @@
-ANDROID_PACKAGE_NAME=org.mozilla.fennec_`echo $USER`
-MOZ_APP_DISPLAYNAME="Fennec `echo $USER`"
+ANDROID_PACKAGE_NAME=org.mozilla.fennec_wg9s
+MOZ_APP_DISPLAYNAME=WG9s
MOZ_UPDATER=
|
|
||
Comment 3•13 years ago
|
||
There is no reason for this bug to be sec-sensitive. This is only happens in custom builds and is a boon to developers and other members of the mobile team as our builds are not stamping over each other if you install another dev's builds.
You can set the $USER variable or set MOZ_OFFICIAL=1 though official may run into signing conflicts with release builds.
Group: core-security
|
||
Comment 4•13 years ago
|
||
Agreed, you can set the USER variable to be whatever you like when building. e.g.
USER=AnonymousCoward make -f client.mk
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
|
|
Reporter | |
Comment 5•13 years ago
|
||
OK. I was afraid altering $USER might break something else.
|
Assignee | |
Updated•5 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•