Document Overview
| Feature/Product: | Use System Storage on Android |
| Projected Feature Freeze Date: | Q4 2011 |
| Product Champions: | Doug Turner |
| Privacy Champions: | Sid Stamm, Ian Melven |
| Security Contact: | Curtis Koenig |
| Document State: | [NEW] |
Timeline:
| Architectural Overview: | 2-Nov-2011 |
| Recommendation Meeting: | (date TBD) |
| Review Complete ETA: | tbd |
Architecture
In this section, the product's architecture is described. Any individual components or actors are identified, their "knowledge" or what data they store is identified, and data flow between components and external entities is described.
The main objective of this feature/product is: to use the Android System database for storing sync data (bookmarks, history, form data, etc). This allows users to keep their data portable to all apps on the phone.
Design Documents: TODO: Link to any design or architectural documents or bugs here.
Components
There are three major parts to this system: the third party applications including the Google Sync Service, Firefox Mobile, and the Android System Storage.
Firefox Mobile
This component is the mobile browser application on Android (Fennec, or branded as Mozilla Firefox for Android). Within Fennec, we may ship a sync client (Mozilla Sync or Weave). Mozilla Sync will automatically merge passwords, bookmarks, and history across Mozilla Application. On Android, there also can exist a Google sync client which does the same for Google applications (e.g., syncing Chrome on the desktop to the default Android browser).
Stored Data:
The data stored in the browser will be kept in the Android Operating System's system storage. These databases are automatically accessible by the system default browser (and other apps) and synchronized with the phone's owner's google account.
| What | Where |
|---|---|
| bookmarks, history, passwords, form fill data | in memory (decrypted/recorded), temporarily. |
Communication with Sync Service
Firefox Mobile communicates with sync services as a sync client. The information it transmits is encrypted before transmission and the decryption key is not available to the Sync Service.
For details see http://docs.services.mozilla.com/storage/apis-1.1.html#apis -- this review documents only the bits of the API involved with storage of data in Android System Storage.
| Direction | Message | Data | Notes |
|---|---|---|---|
| In: | return from GET /storage/collection/id | encrypted sync object (bookmark, history item, form data, password, etc) | |
| return from GET /storage/collection | metadata about the users' data objects on the server | ||
| Out: | GET /storage/collection/id | sync object identifier (unique object ID) | |
| GET /storage/collection | optional parameters for filtering the query | (see the API) |
Communication with Android System Storage
Android System Storage is used as a database for keeping various bits of browser data. It is a common database used by multiple applications.
| Direction | Message | Data | Notes |
|---|---|---|---|
| In: | getData | browser data object | (bookmark, history item, form data, password, etc) |
| Out: | storeData | browser data object | (bookmark, history item, form data, password, etc) |
Sync Service (external)
This (external) component provides synchronization services for Firefox. The data on the server is kept encrypted, and synchronized with Firefox on mobile and desktop. For the purpose of this review, this Sync Service is a data provider for Firefox Mobile.
Stored Data:
The data stored in the Sync Service are all encrypted with a key that is not available to the service (it is kept on the clients).
| What | Where |
|---|---|
| bookmarks, history, passwords, form fill data | Mozilla sync server |
Communication with Firefox Mobile
(See above section on Firefox Mobile for details of communication)
Android System Storage (external)
The Android System Storage is a common database in the Android OS. All apps given access to this storage have the ability to read/write things like browser history and bookmarks. Firefox on Android will use this storage service to keep in sync with the default browser on the device (as well as any other apps that consume or create this data).
Stored Data:
There's lots of data in this (third party) system, but for our purposes it will be storing browser data. This data is automatically accessible by the system default browser (and other apps) and synchronized with the phone's owner's google account.
| What | Where |
|---|---|
| bookmarks, history, passwords, form fill data | On device, potentially synced to the cloud via google account and other apps. |
Communication with Firefox Mobile
(See above Firefox Mobile section for details)
User Data Risk Minimization
In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk.
Areas of Risk
- Possibility of syncing user data to Google
- No current option to not use system storage
Alignment with Privacy Operating Principles
In this section, the privacy champion will identify how the feature lines up with Mozilla's privacy operating principles.
See Also: Privacy/Roadmap_2011#Operating_Principles:
Principle: Transparency / No Surprises
Users are going to be upgraded from the previous release of Firefox to the Native UI/Birch release. If they have enabled Google sync, they will be opted in without notice to having their data from Firefox for Android browsing synced to Google. Users also may be using Firefox to avoid using system storage, and will be opted in to using it with Firefox when upgraded to the Birch release. Additionally, it may happen that users will sync their Firefox from Mozilla Sync, this data will be stored in the system store and then synced to Google - violating the guarantees that Mozilla Sync makes about data not being accessible by anyone else, even Mozilla.
Recommendations: (what can be improved)
What can be improved:
- Option to store data apart from the global store. That is, do not use the global system services to store history, bookmarks, and passwords. But instead, hide them from the rest of the phone and discourage data sharing on the device.
- If users are going to be essentially opted-in to the new UI and using system storage, there needs to be explicit messaging that they may need to take action to opt of having their Firefox for Android data synced to Google (if they have their phone configured to sync data to Google, which many users will).
Principle: Real Choice
'Recommendations:
Principle: Sensible Defaults
Recommendations:
Principle: Limited Data
Recommendations:
Follow-up Tasks and tracking
| What | Who | Bug | Details |
|---|---|---|---|
| [NEW] Initial Overview Discussion | ? | Meeting time TBD |