Security/Reviews/Mobile/Flash

Items to be reviewed

• Feature Page: https://wiki.mozilla.org/Fennec/Features/Plugins
• Other suggested reading
  • http://dougt.org/wordpress/2011/04/npapi-on-android-status-update/
  • http://dougt.org/wordpress/2011/05/npapi-on-android-status-update-2/

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Goal is to enable flash support on android Flash support is targeted to ship in Firefox 11 with the native UI

What solutions/approaches were considered other than the proposed solution?

• Kicking out to stock browser
• sending flash content to swiffy
• rendering using js-based flash replacement
• running Flash Player out of process, remoting the NPAPI to the JNI - there was an interface that didn't work that prevented pursuing this approach

Why was this solution chosen?

• reverse engineered adobe and google's extensions to the NPAPI
• implemented the parts required to render content
• Honeycomb's drawing model not supported at this time so no Flash in Fennec on tablets at the current time

Any security threats already considered in the design and why?

none

Threat Brainstorming

• Flash opens up the entire attack surface of the Flash Player
  • does it run in our Fennec process ? yes, it has to so it can access the Java runtime of the Fennec process - so a Flash Player vulnerability/compromise on mobile results in compromise of our Fennec process
  • the threat model for Flash on mobile is the same as an in process Flash Player plugin was on desktop
  • Fennec asks the system about plugins and gets back a list of plugins - it then finds Flash Player in this list and loads it into the Fennec process
  • the NPAPI on Android is a lot more extensive than on the desktop - this means there are more ways to get potentially hostile data into the plugin from the browser (though not necessarily from content)
• Flash needs storage for LSO's etc
  • as part of the API, Fennec hands Flash Player a directory for local storage
  • this is in Fennec's application storage area - it has to be since the files need to be written by Fennec's process
• Plugin updates
• Click to play - Fennec is waiting for desktop to implement click to play before shipping Flash - we aren't concerned with potential issues with scriptable plugins on mobile currently
• The install experience for plugins on Android is different to on the desktop - it may be easier to get someone to install a plugin from the market etc
  • the update experience is different also
  • updates/versions may be different on devices that ship with Flash Player opposed to devices that install it from the market e.g. 10.3 vs 11
• Flash Player on Android requires more permissions to run, hence Fennec requires more permissions to load and use the Flash Player plugin - this means if the Fennec process is compromised the payload can use these extra permissions

Conclusions / Action Items

• [imelven] dig into how Flash settings work on mobile. It's different on phones that ship with Flash in ROM (which may also ship with a Flash Player settings app) than ones that don't (no settings app, possibly use the Flash Player settings manager)
  • kbrosnan informs that it's similar to desktop http://settings.adobe.com/flashplayer/mobile + an app that acts as a launcher for that site "Flash Player Settings"