How secure is Firefox Sync on Android
First, let me summarize how I understand the current security concept of Firefox4Linux, as some of the documents I read may be old:
L1) During sync setup Firefox4Linux creates recovery key, encrypt all passwords, bookmarks, ... using this recovery key and upload them to the server.
L2) Passwords are encrypted only by using the recovery key, (not by master password).
L3) When pairing J-PAKE (Password Authenticated Key Exchange by Juggling) is used to securely transfer the recovery key.
L4) On Firefox4Linux master password is used to encrypt the Recovery Key. Based on my own observation as it is not possible to view Recovery Key without entering the master password at least once.
This all seems to me reasonably secure and there should be no leakage of recovery key without compromising Master password. Now regarding my findings for Firefox4Android:
A1) Firefox4Android stops syncing passwords when master password is used.
A2) Based on my observations Firefox4Android continue to sync bookmarks, tabs, ... even when it is still asking for master password and I am not providing it.
A3) Based on A1 and A2 it looks like that, recovery key is not encrypted using master password.
A4) Based on A3 anybody who gets physical access to the Android device, can get recovery key, setup synchronization on PC and obtain all the passwords!
Please let me know, if I missed something. As it looks to me, using synchronization on Firefox4Android is not secure even if you use Master Password.
Currently I see possible workaround for this issue:
1) Disable master password on Firefox4Android
2) Setup synchronization
3) Let passwords, bookmarks, synchronize
4) Disable synchronization (deleting synchronization account should delete recovery key)
5) Enable master password
Only security issue with this workaround may be, that recovery key may be readable from the NAND flash for a while, because of the wear-leveling techniques. Possible workaround for this, would be generating new recovery key, after performing each synchronization with Android.
Modified by dasty
Additional System Details
- User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
So, what do you want help with here?
I would need a help, how to use Firefox Sync safely on Android devices, without that crazy workaround. I believe I am not the only person having this problem and somebody has find out something more straight forward.
Modified by dasty
Yes. You currently need to disable master password to Sync passwords. The steps you listed are correct. Disable the master password. Allow the passwords to Sync and then re-enable the master password.