Optional primary password missing in Firefox for Android (Daylight) #15147
Comments
Please read #14501 (comment) and #14501 (comment) about the security aspect. |
Hi caderyn! OK, I see that my issue is a duplicate of issue 14501. (I had searched bugzilla for similar issues but it did not find it. Probably bugzilla should explain, that searches should be done directly at GitHub) Nevertheless: The issue should be reopened. The comment #14501 (comment) is not sufficient: "If someone gets physical access to your phone, yes, they could pull the password files from your physical phone but master password won't protect that." The master password does not protect pulling encrypted files, but it protects to get the plain text from these files. Not only the "physical access to your phone" by "someone" is needed to get the password files. A usual way to backup the phone data is to connect the mobile via USB to the desktop computer and to copy all data to it. Then all phone data are included in the backups of the desktop computer. No longer encrypted by the Android system. The user would need to encrypt the backups manually, but also then there are security gaps: What happenes during the transfer? Do I trust Windows? ... It is not a simple "double encrypting" to encrypt the passwords by a primary password. It is "Defense in depth" (see https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29):
We know from Ed Snowden that the NSA tries to influence companies and open source communities to lower security measurements. We all should resist to do that. With a primary password in an open source browser we have a trustable and comprehensible method to secure the passwords. Encrypting Android data on the disk level and access restrictions are surely good additions, but not a replacement! Martin |
Hi Sören, I did not immediately see your added link to #14501 (comment) . After reading https://developer.android.com/training/articles/keystore I see now that the Android Keystore is much more than an encrypted filesystem and usual Linux access protection. So my fear that plain text passwords may go into backups of the phone file system is dispelled. Now, if the Android Keystore works as described, it seems to be secure enough. If not, that may become repaired And under this premise it is indeed a gain of usability, if the password manager does not require a primary password to be entered. Therefore I can now understand the decision to rely on Android Keystore. Issue closed. |
Storing passwords is unsecure unless they are encrypted with a strong key derived from a primary password. The key should be derived by key stretching techniques like SCrypt or Argon2.
Since the Daylight version it is not possible any more to use a primary password (former "master password"). The access to the passwords is only protected by asking for a fingerprint or the PIN. But both protect only the access of the data by the UI. If any malicious App gains access to the Firefox data then it can read all the passwords as plain text. Also backups of the mobile filesystems aren't secured.
Using a local or online password manager to store and retrieve passwords is only a work-around. It takes much more time for the user in the day-to-day usage. A browser extension isn't a good alternative too. Keeping extensions compatible with the browser takes time and is therefore not considered to be reliable.
Therefore the primary password is a key feature of the browser itself.
Please re-implement it.
We recommend our customers to use only browsers, which provide this feature, whenever possible.
Martin Schöttler
CEO of matique UG (haftungsbeschränkt)
Kochel a. See, Germany
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: