[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How safe is smartphones today?

On 4/4/14 4:52 AM, Mike Perry wrote:
> David Rajchenbach-Teller:
>> As a side-note, there is a will to make FirefoxOS very safe, but as far
>> as I know, very few people work on this actively at the moment. If you
>> are interested in contributing to this effort, I can try and find you a
>> good interlocutor.
> I looked into this and made contact with the FFOS team about potential
> collaboration, but it was not a priority for them. We would effectively
> be responsible for doing all of this work ourselves.
> This would actually be a lot of work for us to do, too. There are
> several architectural changes needed to Firefox OS in order for us to be
> able to do the things I did with Android in this post:
> https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
> In particular, the following is a sampling of my more major concerns:
> 1. Apps share a lot more state and linkable identifiers due to running
> in the same parent Gecko process (and sharing much of the HTTP stack).

Actually, that's not true. Maybe you checked on B2G Desktop, which uses
a single process. On the real FirefoxOS, each app runs in its own
process, with the following exceptions:
- the browser UI (i.e. the url bar) is part of the system process;
- dialer, contacts and First Time use are three view of the same

> 2. This also means that apps are way less protected from one another
> than on Android (where everything runs as both a separate process *and*
> a separate user ID).

Each process has a distinct uid.

> 3. There are no per-app proxy settings, and individual apps can not be
> blocked from accessing the network.

Investigating the issue. I believe some work is needed here, but that
doesn't look too hard platform-wise.

> 4. The system-wide proxy settings still allow for a number of things to
> leak outside of Tor.

What kind of leaks do you have in mind?

> 5. It is my understanding that apps can source remote JS libraries over
> HTTP if they wish, and nothing prevents this. This effectively means
> that what you think is your app may not be your app at all.

By default, that is correct. What would you suggest?
I know that the system can detect attempts to access the network by an
app, so I suspect that it wouldn't be too hard to fully deactivate
network access once the app is installed.


David Rajchenbach-Teller, PhD
 Performance Team, Mozilla
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to