Firefox for Android and SMS messages? A dangerous mix

Filed Under: Android, Featured, Mobile

Firefox betaI use Firefox browser on my Android phone. And because I like to see new features early, I am using the beta version. A few days ago when I was prompted to update my beta to version 11: the new beta version wanted permissions to send and receive SMS messages.

This is not welcome news.

First, I can't figure out why Firefox wants SMS permissions. How might web apps use this service? And how will Firefox police the use of SMS by web applications?

SMS Permissions

All I could find was one sentence "...device applications that go beyond the browser, like SMS messages." in a Mozilla developer's blog from late last year, and some internal bugs related to the feature in Mozilla's bug tracker.

My other question is, won't this feature make my phone more vulnerable to malicious attacks?

SMS sending permission on Android is mostly associated with malicious apps designed to steal your money by sending premium-rate SMS messages. Naked Security has written about such threats many times before.

Thankfully, Google typically detects and removes bad apps quickly from the marketplace.

In addition, Android users can protect themselves by checking the permissions list of any the apps they install, especially any from non-standard sources.

With the new SMS feature in the Firefox browser app, the bad guys now need only find a way to trick the browser into sending premium-rate SMS messages without your permission or knowledge.

This might be done by luring you to tap on a link to a website containing JavaScript code to send SMS messages - perhaps via poisoned search-engine results.

I would hope that Firefox will ask you if you are sure when a website wants to send an SMS, but we know that users often click through such warnings, and if the malicious site is hosting a remote exploit designed to take over Firefox the warning can be neutralised.

I know that Firefox is trying to build a rich application with lots of cool features, and I applaud them for that. But every single new feature carries risk, and the benefit sometimes does not justify that risk.

My suggestion to Firefox is that in their standard builds for Android, the ability to send SMS messages is removed. And, if necessary, Firefox can make available a separate build that includes the feature but advises users clearly of the increased risk.

The guys behind Firefox should also be much more transparent about why they are including this new SMS feature in the Android incarnation of their browser.

There is also something that Google could do.

Currently, when you install an application, the Android operating system presents you with the list of permissions that the app requires, and asks you to confirm your authorisation before installation.

That's all very good, but it's only a binary choice without any granularity. For risky or expensive permissions, such as the ability to send an SMS text message, there needs to be a third option, where the user can insist that their approval is requested before each attempt to send an SMS.

This approach would boost the confidence users feel when installing applications with a legitimate need to send SMS messages, without the fear of a large bill due to a rogue or buggy application.

In the meantime I would advise everyone not to install this build of Firefox unless you have a clear need for the feature and fully understand the risks.

Update:

There is a bug in Mozilla's bug tracker about this which is marked as fixed. It seems that Mozilla has realised that, for the moment at least, standard versions of Firefox should not have the ability to handle SMS messages, and they have fixed their source tree to remove the request for SMS permissions.

However, the version currently on the Android marketplace still wants SMS permission.

Just because it is fixed in Mozilla's source tree does not mean the public will get it soon. Mozilla has a series of different staging versions, and it could take up to six weeks for a bug fix in the Mozilla source tree to propagate through to the Beta release.

Mozilla doesn't classify this issue as a high priority or security bug, so they won't push the fix through with any urgency. I disagree. As far as we know, this bug is not being actively being exploited, but it might not take much to do so, and the bad guys have a significant financial incentive to find an exploit - so no-one should be complacent.

I stand by my advice: Do not install this version of Firefox Beta.

, ,

You might like

5 Responses to Firefox for Android and SMS messages? A dangerous mix

  1. Firefox is obviously trying to push into new territory, but it clearly should not be done at the expense of security. Good point about Android permissions too!

  2. Jason · 790 days ago

    Perhaps the new SMS permission is why my Motorolla WiFi Zoom is suddenly listed as no longer compatible with Firefox Beta. No mobile service, no SMS, I guess.
    I have been running Firefox Beta for months.
    After reading this blog post, I decided to see why I hadn't been prompted to upgrade a few days ago like you were.
    And now, Google Android Market says my Xoom is no longer compatible.

  3. gene · 789 days ago

    I use FF almost exclusively on my pc, downloaded the android app and almost as soon uninstalled it, didn't know why but it didn't feel right. Perhaps this is why. I won't allow any app that wants the access most do to my phone so I'm pretty light on them. And going to stay that way...

  4. Lasa Bailey · 789 days ago

    Facebook does the same on the net (asks for permission to send as you) I turned that section off, it is a security flaw to allow anyone or any corporation permission to send as you, not to mention being just stupid on our part to allow it, most people do not even think about it.
    They are a big company! They will do the right thing! Right?
    yeh right!!!!
    I would not trust any company with such permissions, not even FireFox/Mozilla

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

David Pottage is a senior systems engineer at Sophos. Prior to joining Sophos, he worked at Nokia for four years.