Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

How secure is Firefox Sync on Android

  • 3 replies
  • 1 has this problem
  • 205 views
  • Last reply by Kevin

dasty
dasty
more options

First, let me summarize how I understand the current security concept of Firefox4Linux, as some of the documents I read may be old:

L1) During sync setup Firefox4Linux creates recovery key, encrypt all passwords, bookmarks, ... using this recovery key and upload them to the server[1].

L2) Passwords are encrypted only by using the recovery key, (not by master password)[2].

L3) When pairing J-PAKE (Password Authenticated Key Exchange by Juggling) is used to securely transfer the recovery key[3].

L4) On Firefox4Linux master password is used to encrypt the Recovery Key. Based on my own observation as it is not possible to view Recovery Key without entering the master password at least once.


This all seems to me reasonably secure and there should be no leakage of recovery key without compromising Master password. Now regarding my findings for Firefox4Android:

A1) Firefox4Android stops syncing passwords when master password is used[4].

A2) Based on my observations Firefox4Android continue to sync bookmarks, tabs, ... even when it is still asking for master password and I am not providing it.

A3) Based on A1 and A2 it looks like that, recovery key is not encrypted using master password.

A4) Based on A3 anybody who gets physical access to the Android device, can get recovery key, setup synchronization on PC and obtain all the passwords!


Please let me know, if I missed something. As it looks to me, using synchronization on Firefox4Android is not secure even if you use Master Password.

Currently I see possible workaround for this issue:

1) Disable master password on Firefox4Android

2) Setup synchronization

3) Let passwords, bookmarks, synchronize

4) Disable synchronization (deleting synchronization account should delete recovery key)

5) Enable master password

Only security issue with this workaround may be, that recovery key may be readable from the NAND flash for a while, because of the wear-leveling techniques. Possible workaround for this, would be generating new recovery key, after performing each synchronization with Android.

[1] http://support.mozilla.org/en-US/kb/firefox-sync-data-secure-find-out-more

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=540975

[3] http://gregoryszorc.com/blog/2012/04/08/comparing-the-security-and-privacy-of-browser-syncing/

[4] http://support.mozilla.org/en-US/kb/use-master-password-protect-passwords-firefox-andr

First, let me summarize how I understand the current security concept of Firefox4Linux, as some of the documents I read may be old: L1) During sync setup Firefox4Linux creates recovery key, encrypt all passwords, bookmarks, ... using this recovery key and upload them to the server[1]. L2) Passwords are encrypted only by using the recovery key, (not by master password)[2]. L3) When pairing J-PAKE (Password Authenticated Key Exchange by Juggling) is used to securely transfer the recovery key[3]. L4) On Firefox4Linux master password is used to encrypt the Recovery Key. Based on my own observation as it is not possible to view Recovery Key without entering the master password at least once. This all seems to me reasonably secure and there should be no leakage of recovery key without compromising Master password. Now regarding my findings for Firefox4Android: A1) Firefox4Android stops syncing passwords when master password is used[4]. A2) Based on my observations Firefox4Android continue to sync bookmarks, tabs, ... even when it is still asking for master password and I am not providing it. A3) Based on A1 and A2 it looks like that, recovery key is not encrypted using master password. A4) Based on A3 anybody who gets physical access to the Android device, can get recovery key, setup synchronization on PC and obtain all the passwords! Please let me know, if I missed something. As it looks to me, using synchronization on Firefox4Android is not secure even if you use Master Password. Currently I see possible workaround for this issue: 1) Disable master password on Firefox4Android 2) Setup synchronization 3) Let passwords, bookmarks, synchronize 4) Disable synchronization (deleting synchronization account should delete recovery key) 5) Enable master password Only security issue with this workaround may be, that recovery key may be readable from the NAND flash for a while, because of the wear-leveling techniques. Possible workaround for this, would be generating new recovery key, after performing each synchronization with Android. [1] http://support.mozilla.org/en-US/kb/firefox-sync-data-secure-find-out-more [2] https://bugzilla.mozilla.org/show_bug.cgi?id=540975 [3] http://gregoryszorc.com/blog/2012/04/08/comparing-the-security-and-privacy-of-browser-syncing/ [4] http://support.mozilla.org/en-US/kb/use-master-password-protect-passwords-firefox-andr

Modified by dasty

All Replies (3)

user633449
user633449
more options

So, what do you want help with here?

dasty
dasty Question owner
more options

I would need a help, how to use Firefox Sync safely on Android devices, without that crazy workaround. I believe I am not the only person having this problem and somebody has find out something more straight forward.

Modified by dasty

Kevin
Kevin
  • Moderator
more options

Yes. You currently need to disable master password to Sync passwords. The steps you listed are correct. Disable the master password. Allow the passwords to Sync and then re-enable the master password.