jhugman
commented
3 years ago Firefox Lockwise relies on the available device security, prompting for the biometric (fingerprint or face match), PIN code or password set in the settings app of your device.
During set up, Lockwise encourages you to set up these things if they have not already been set up. It appears you have PIN set up.
While the app is unlocked (not just the device), data is available via an encrypted SQLCipher database, which provides strong and transparent encryption to an SQLite database. When the app is locked, in-memory data from that database is purged, the database is closed and the key to decrypt the database is also purged from memory.
The database key is stored as in Android's keystore system. Your PIN gets the database key from the keystore, and that key unlocks the database.
While this database key is not available, offline attacks (e.g. where you copy the database file to another computer to exploit it) become extremely difficult. We are confident in the integrity of the data-at-rest.
Because Lockwise uses the device's authentication machinery, it also comes with some of the protections against brute-forcing (PKDF, exponential backoffs, etc). I am not an expert in this particular subsystem, so forgive me for not going into detail. If you lose control of your device, then this will be the thing to worry about. Reading through this guide, it seems if
- you have a recent Android phone (>5.0) AND
- don't enable ADB AND
- don't use a thirdparty lockscreen AND
- still control your Gmail account, AND
- haven't rooted your device,
you should be good to go.
On the whole, we trust that 1-5 is true for the mainstream of our users.
You documented your assumption that the primary password (né master password) is supposed to be protecting your Firefox Account. This assumption is inaccurate: it is protecting the app that uses the account, rather than the account itself.
Because of the prevalence of strong device protections which can be re-used by apps, the complexity of adding a primary passwords (over and above your username/password for the Firefox Account) and that very very few people use the primary password feature, I believe that this will unlikely to be implemented on Android or iOS.
You might be interested in the following articles, which explain sync security better than I can:
Thank you for your feedback.
martin-schoettler
(moved from https://github.com/mozilla-mobile/fenix/issues/15148)
Steps to reproduce
Expected behavior
I assumed that either
I assumed also that
Actual behavior
Firefox Lockwise does not ask the user for a primary password, when it is restarted. But it is able to connect to the Firefox account.
Therefore Firefox seems to store crucial data (passwords, primary password of the Firefox account) in an unsecure way. Only the UI-access to the data is protected by asking the PIN. (But the PIN is not suitable to encrypt data: It is not a strong password and it is (hopefully) not known to any app.) Also if the file system of the mobile is encrypted, backups of the files transferred to the desktop computer are not encrypted without further user actions.
Device information
See also:
Reasoning, why securing confidential data by an encrypted disk isn't enough: https://github.com/mozilla-mobile/fenix/issues/15147#issuecomment-694100122
Martin Schöttler matique UG (haftungsbeschränkt) Kochel a. See, Germany