[tor-bugs] #21863 [Applications/Tor Browser]: Ensure proxy safety on Android

Wed Jun 20 23:25:52 UTC 2018

#21863: Ensure proxy safety on Android
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  sysrqb
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, tbb-7.0-must, tbb-       |  Actual Points:
  proxy-bypass, TorBrowserTeam201806             |
Parent ID:  #5709                                |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------
Changes (by sysrqb):

 * status:  new => accepted
 * owner:  tbb-team => sysrqb

Comment:

 Auditing the code for network connections. On my first pass I see Mozilla
 already plugged many proxy-bypass calls. Most of the remaining instances
 are within the Firefox Accounts code. The telemetry code and mozstumbler
 have bypass bugs, too. We don't use telemetry, so that should not be a
 problem, but we will plug this hole when we patch the FxA bug. We should
 exclude mozstumbler at compile-time.

 The main problem is in
 `mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java`.
 After many layers, I believe the bypass happens in
 `mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java`.
 In addition, both
 `mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLConnectionSocketFactory.java`
 and
 `mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ssl/SSLSocketFactory.java`
 leak. These should be solved in #22170.

 || File || Analysis ||
 ||
 mobile/android/base/java/org/mozilla/gecko/telemetry/TelemetryUploadService.java
 || Proxy-bypass by  BaseResource ||
 ||
 mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java
 || Proxy-bypass in makeConnection(), check UAS passed into constructor ||
 ||
 mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/UdpDataSource.java
 || Proxy-bypass, creates UDP socket ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/FxAccountClient20.java
 ||  Check FxAccount UserAgent, Check how now() is used, Proxy-bypass using
 BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/oauth/FxAccountOAuthClient10.java
 || Proxy-bypass using BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/profile/FxAccountProfileClient10.java
 || Proxy-bypass using BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/browserid/verifier/BrowserIDRemoteVerifierClient10.java
 || Proxy-bypass using BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/browserid/verifier/BrowserIDRemoteVerifierClient20.java
 || Proxy-bypass using BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/push/autopush/AutopushClient.java
 || Proxy-bypass using BaseResource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/MetaGlobal.java
 || Likely Proxy-bypass, Check SyncStorageRecordRequest ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRecordRequest.java
 || Proxy-bypass via Resource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRequest.java
 || Proxy-bypass via Resource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/TLSSocketFactory.java
 || Possible Proxy-bypass via
 ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.createSocket() ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/repositories/downloaders/BatchingDownloader.java
 || Proxy-bypass via Resource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/repositories/uploaders/RecordUploadRunnable.java
 || Proxy-bypass via Resource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/stage/EnsureCrypto5KeysStage.java
 || Proxy-bypass via Resource ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/stage/FetchInfoCollectionsStage.java
 || Likely Proxy-bypass ||
 ||
 mobile/android/services/src/main/java/org/mozilla/gecko/tokenserver/TokenServerClient.java
 || Proxy-bypass via Resource ||
 ||
 mobile/android/stumbler/java/org/mozilla/mozstumbler/service/utils/AbstractCommunicator.java
 || Proxy-bypass by URL.openConnection() ||

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21863#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online