[tbb-bugs] #24796 [Applications/Tor Browser]: Review all requested and required Android permissions
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 16 23:02:22 UTC 2018
#24796: Review all requested and required Android permissions
--------------------------------------+-----------------------------------
Reporter: sysrqb | Owner: tbb-team
Type: task | Status: needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile | Actual Points:
Parent ID: #26531 | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by sysrqb):
I commented-out some of the permissions.
Branch 26401_1+24796 (based on the last branch for #26401)
{{{
$ grep -n -e feature -e permission obj-arm-linux-
androideabi/gradle/build/mobile/android/app/intermediates/manifests/full/officialWithoutGeckoBinariesNoMinApiPhoton/debug/AndroidManifest.xml
3: <uses-permission
android:name="android.permission.ACCESS_NETWORK_STATE"/>
4: <uses-permission android:name="android.permission.INTERNET"/>
5: <uses-permission
android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
6: <uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE"/>
7: <uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
8: <uses-permission
android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
9: <uses-permission
android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT"/>
10: <uses-permission
android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/>
11: <uses-permission android:name="android.permission.WAKE_LOCK"/>
12: <uses-permission android:name="android.permission.VIBRATE"/>
13: <uses-feature android:name="android.hardware.touchscreen"/>
14: <uses-permission
android:name="android.permission.SYSTEM_ALERT_WINDOW"/>
15: <uses-feature android:required="true"
android:glEsVersion="0x00020000"/>
}}}
Permissions shown by Android:
{{{
Storage:
read the contents of your USB storage
modify or delete the contents of your USB storage
Other:
view network connections
have full network access
run at startup
install shortcuts
uninstall shortcuts
prevent phone from sleeping
control vibration
}}}
Remaining permissions we should consider excluding:
{{{
android.permission.ACCESS_NETWORK_STATE
android.permission.SYSTEM_ALERT_WINDOW
}}}
And, I think, if we do not include the updater then we can likely exclude:
{{{
android.permission.READ_EXTERNAL_STORAGE
android.permission.READ_EXTERNAL_STORAGE
}}}
I'm not sure what Fennec does when it receives the BOOT_COMPLETED intent.
I'm also not sure how it uses SYSTEM_ALERT_WINDOW.
I'll move READ_HISTORY_BOOKMARKS under the MOZ_ANDROID_LOCATION ifdef
guard for Fennec - including this permission likely breaks state
separation.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24796#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list