Question

posted by dasty 1 year ago
How secure is Firefox Sync on Android

First, let me summarize how I understand the current security concept of Firefox4Linux, as some of the documents I read may be old:

L1) During sync setup Firefox4Linux creates recovery key, encrypt all passwords, bookmarks, ... using this recovery key and upload them to the server[1].

L2) Passwords are encrypted only by using the recovery key, (not by master password)[2].

L3) When pairing J-PAKE (Password Authenticated Key Exchange by Juggling) is used to securely transfer the recovery key[3].

L4) On Firefox4Linux master password is used to encrypt the Recovery Key. Based on my own observation as it is not possible to view Recovery Key without entering the master password at least once.


This all seems to me reasonably secure and there should be no leakage of recovery key without compromising Master password. Now regarding my findings for Firefox4Android:

A1) Firefox4Android stops syncing passwords when master password is used[4].

A2) Based on my observations Firefox4Android continue to sync bookmarks, tabs, ... even when it is still asking for master password and I am not providing it.

A3) Based on A1 and A2 it looks like that, recovery key is not encrypted using master password.

A4) Based on A3 anybody who gets physical access to the Android device, can get recovery key, setup synchronization on PC and obtain all the passwords!


Please let me know, if I missed something. As it looks to me, using synchronization on Firefox4Android is not secure even if you use Master Password.

Currently I see possible workaround for this issue:

1) Disable master password on Firefox4Android

2) Setup synchronization

3) Let passwords, bookmarks, synchronize

4) Disable synchronization (deleting synchronization account should delete recovery key)

5) Enable master password

Only security issue with this workaround may be, that recovery key may be readable from the NAND flash for a while, because of the wear-leveling techniques. Possible workaround for this, would be generating new recovery key, after performing each synchronization with Android.

[1] http://support.mozilla.org/en-US/kb/firefox-sync-data-secure-find-out-more

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=540975

[3] http://gregoryszorc.com/blog/2012/04/08/comparing-the-security-and-privacy-of-browser-syncing/

[4] http://support.mozilla.org/en-US/kb/use-master-password-protect-passwords-firefox-andr

↓ Show more ↑ Show less
  • All posts
  • Helpful Solutions
  • post
  • owner
  • post