Audit Fenix code for tracking, fingerprintability, and safety features

Audit Fenix code for tracking, fingerprintability, and Tor safety features in relation to various known attacks.

• Audit code changes since last audit for proxy bypass bugs, following our audit procedure.

Related to 33939.

• android-components#34324 (closed)
• #40008 (closed)
• #40009 (closed)
• tor-browser#29866 (closed)

Trac:
Parent Ticket: legacy/trac#33661 (moved)
Child Ticket(s): legacy/trac#34414 (moved)

added component::applications/tor browser in Legacy / Trac gitlab-tb-fenix in Legacy / Trac owner::tbb-team in Legacy / Trac parent::33661 in Legacy / Trac priority::medium in Legacy / Trac severity::normal in Legacy / Trac sponsor::58-must in Legacy / Trac status::new in Legacy / Trac type::task in Legacy / Trac labels

Trac:
Keywords: N/A deleted, gitlab-tb-fenix added

mentioned in issue legacy/trac#33661 (moved)

mentioned in issue legacy/trac#34414 (moved)

moved from legacy/trac#34177 (moved)

added Task + 1 deleted label and removed 1 deleted label

added Backlog label

mentioned in issue tor-browser#33661 (closed)

added Next label

removed Backlog label

changed the description

removed 1 deleted label

assigned to @mikeperry

mentioned in issue tor-browser#40017 (closed)

mentioned in issue #33939 (closed)

mentioned in issue #40008 (closed)

changed the description

Going to do one comment per repo for proxy audit summary. Notes file will also follow.

Results from android-components proxy audit as follows:

Major findings:

Downloader might use unproxied http or system DL:

• components/feature/downloads/src/main/java/mozilla/components/feature/downloads/AbstractFetchDownloadService.kt
• components/feature/downloads/src/main/java/mozilla/components/feature/downloads/DownloadsFeature.kt
• components/feature/downloads/src/main/java/mozilla/components/feature/downloads/manager/AndroidDownloadManager.kt
• components/feature/downloads/src/main/java/mozilla/components/feature/downloads/manager/FetchDownloadManager.kt

Intents can launch external apps (but can have special prompt):

• components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksUseCases.kt
• components/feature/contextmenu/src/main/java/mozilla/components/feature/contextmenu/ContextMenuCandidate.kt
• components/feature/downloads/src/main/java/mozilla/components/feature/downloads/AbstractFetchDownloadService.kt
• components/feature/downloads/src/main/java/mozilla/components/feature/downloads/DownloadsFeature.kt
• components/feature/prompts/src/main/java/mozilla/components/feature/prompts/PromptContainer.kt
• components/feature/prompts/src/main/java/mozilla/components/feature/prompts/file/FilePicker.kt
• components/feature/pwa/src/main/java/mozilla/components/feature/pwa/WebAppInterceptor.kt
• components/feature/app-links/src/main/java/mozilla/components/feature/app/links/AppLinksInterceptor.kt

Concerning items:

Android's WebKit can get possibly get used:

• components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt
• components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/SystemEngineView.kt
• components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/SystemEngine.kt
• components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/NestedWebView.kt
• components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/SystemEngineSession.kt
• components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/window/SystemWindowRequest.kt

Concerning Activities (app launching; contacts access)

• components/feature/pwa/src/main/java/mozilla/components/feature/pwa/WebAppLauncherActivity.kt
• components/lib/crash/src/main/java/mozilla/components/lib/crash/prompt/CrashReporterActivity.kt
• components/support/ktx/src/main/java/mozilla/components/support/ktx/android/content/Context.kt

The Icon loader uses whatever Client is passed in to download:

• components/browser/icons/src/main/java/mozilla/components/browser/icons/loader/HttpIconLoader.kt

Opened android-components#40002 (closed), android-components#40003 (closed), android-components#40004 (closed) and #40033 (closed).

Some comments:

• Android's WebKit can get possibly get used: components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt

I only see android.net.Uri (from notes, android.net.* being used), I can't find where android webkit/webview can be used in this file.

components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/SystemEngineView.kt components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/SystemEngine.kt components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/NestedWebView.kt components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/SystemEngineSession.kt components/browser/engine-system/src/main/java/mozilla/components/browser/engine/system/window/SystemWindowRequest.kt

Those belong to the engine implementation based on the system webview (org.mozilla.components:browser-engine-system), which is not used in Fenix (only org.mozilla.components:browser-engine-gecko* is).

Concerning Activities (app launching; contacts access) components/feature/pwa/src/main/java/mozilla/components/feature/pwa/WebAppLauncherActivity.kt

We should audit this in android-components#34333 (moved), but for the time being will be disabled in android-components#40001 (moved).

components/support/ktx/src/main/java/mozilla/components/support/ktx/android/content/Context.kt

Unless I'm missing something, I think this can only be used to add a new contact, not access the contacts.