I use Firefox browser on my Android phone. And because I like to see new features early, I am using the beta version. A few days ago when I was prompted to update my beta to version 11: the new beta version wanted permissions to send and receive SMS messages.
This is not welcome news.
First, I can’t figure out why Firefox wants SMS permissions. How might web apps use this service? And how will Firefox police the use of SMS by web applications?
All I could find was one sentence “…device applications that go beyond the browser, like SMS messages.” in a Mozilla developer’s blog from late last year, and some internal bugs related to the feature in Mozilla’s bug tracker.
My other question is, won’t this feature make my phone more vulnerable to malicious attacks?
SMS sending permission on Android is mostly associated with malicious apps designed to steal your money by sending premium-rate SMS messages. Naked Security has written about such threats many times before.
Thankfully, Google typically detects and removes bad apps quickly from the marketplace.
In addition, Android users can protect themselves by checking the permissions list of any the apps they install, especially any from non-standard sources.
With the new SMS feature in the Firefox browser app, the bad guys now need only find a way to trick the browser into sending premium-rate SMS messages without your permission or knowledge.
I would hope that Firefox will ask you if you are sure when a website wants to send an SMS, but we know that users often click through such warnings, and if the malicious site is hosting a remote exploit designed to take over Firefox the warning can be neutralised.
I know that Firefox is trying to build a rich application with lots of cool features, and I applaud them for that. But every single new feature carries risk, and the benefit sometimes does not justify that risk.
My suggestion to Firefox is that in their standard builds for Android, the ability to send SMS messages is removed. And, if necessary, Firefox can make available a separate build that includes the feature but advises users clearly of the increased risk.
The guys behind Firefox should also be much more transparent about why they are including this new SMS feature in the Android incarnation of their browser.
There is also something that Google could do.
Currently, when you install an application, the Android operating system presents you with the list of permissions that the app requires, and asks you to confirm your authorisation before installation.
That’s all very good, but it’s only a binary choice without any granularity. For risky or expensive permissions, such as the ability to send an SMS text message, there needs to be a third option, where the user can insist that their approval is requested before each attempt to send an SMS.
This approach would boost the confidence users feel when installing applications with a legitimate need to send SMS messages, without the fear of a large bill due to a rogue or buggy application.
In the meantime I would advise everyone not to install this build of Firefox unless you have a clear need for the feature and fully understand the risks.
There is a bug in Mozilla’s bug tracker about this which is marked as fixed. It seems that Mozilla has realised that, for the moment at least, standard versions of Firefox should not have the ability to handle SMS messages, and they have fixed their source tree to remove the request for SMS permissions.
However, the version currently on the Android marketplace still wants SMS permission.
Just because it is fixed in Mozilla’s source tree does not mean the public will get it soon. Mozilla has a series of different staging versions, and it could take up to six weeks for a bug fix in the Mozilla source tree to propagate through to the Beta release.
Mozilla doesn’t classify this issue as a high priority or security bug, so they won’t push the fix through with any urgency. I disagree. As far as we know, this bug is not being actively being exploited, but it might not take much to do so, and the bad guys have a significant financial incentive to find an exploit – so no-one should be complacent.
I stand by my advice: Do not install this version of Firefox Beta.