Open rfk opened 5 years ago
One potential blocker here is that lib-dataprotect
requires Android 6.0+ (API 23+) instead of 5.0+ (API 21+) like our other components. It will be tough to convince the product team to drop ~17% of the market for this: https://developer.android.com/about/dashboards/
The current FxA integration stores the signin state in android shared preferences [1]. When we come to implement full sync support, this signin state will include the user's sync encryption keys and should therefore receive additional protection when stored on-disk.
IIUC, this "additional protection" is exactly the sort of thing that the
dataprotect
component [2] is designed for. Let's discuss how to applydataprotect
protections to the FxA login state data.I want to learn more about using these components in practice, so I'm happy to have a go at implementing a prototype here. But I don't have any good sense of how to put the pieces together architecturally. Would it make sense for the
FirefoxAccountsIntegration
instance [3] to receive adataprotect.Keystore
instance with which it can encrypt its sensitive state?[1] https://developer.android.com/reference/android/content/SharedPreferences [2] https://mozilla-mobile.github.io/android-components/api/0.29.0/mozilla.components.lib.dataprotect/-keystore/index.html [3] https://github.com/mozilla-mobile/reference-browser/blob/master/app/src/main/java/org/mozilla/reference/browser/browser/FirefoxAccountsIntegration.kt