Privacy/Reviews/AndroidSystemStorage
Contents
Document Overview
| Feature/Product: | Use System Storage on Android |
| Projected Feature Freeze Date: | Q4 2011 |
| Product Champions: | Doug Turner |
| Privacy Champions: | Sid Stamm, Ian Melven |
| Security Contact: | Curtis Koenig |
| Document State: | [DROPPED] postponed until 2012 |
Timeline:
| Architectural Overview: | 2-Nov-2011 |
| Recommendation Meeting: | (date TBD) |
| Review Complete ETA: | tbd |
Architecture
In this section, the product's architecture is described. Any individual components or actors are identified, their "knowledge" or what data they store is identified, and data flow between components and external entities is described.
The main objective of this feature/product is: to use the Android System database for storing sync data (bookmarks, history, form data, etc). This allows users to keep their data portable to all apps on the phone.
Design Documents: TODO: Link to any design or architectural documents or bugs here.
Components
There are three major parts to this system: the third party applications including the Google Sync Service, Firefox Mobile, and the Android System Storage.
Firefox Mobile
This component is the mobile browser application on Android (Fennec, or branded as Mozilla Firefox for Android). Within Fennec, we may ship a sync client (Mozilla Sync or Weave). Mozilla Sync will automatically merge passwords, bookmarks, and history across Mozilla Application. On Android, there also can exist a Google sync client which does the same for Google applications (e.g., syncing Chrome on the desktop to the default Android browser).
Stored Data:
The data stored in the browser will be kept in the Android Operating System's system storage. These databases are automatically accessible by the system default browser (and other apps) and synchronized with the phone's owner's google account.
| What | Where |
|---|---|
| bookmarks, history, passwords, form fill data | in memory (decrypted/recorded), temporarily. |
Communication with Sync Service
Firefox Mobile communicates with sync services as a sync client. The information it transmits is encrypted before transmission and the decryption key is not available to the Sync Service.
For details see http://docs.services.mozilla.com/storage/apis-1.1.html#apis -- this review documents only the bits of the API involved with storage of data in Android System Storage.
| Direction | Message | Data | Notes |
|---|---|---|---|
| In: | return from GET /storage/collection/id | encrypted sync object (bookmark, history item, form data, password, etc) | |
| return from GET /storage/collection | metadata about the users' data objects on the server | ||
| Out: | GET /storage/collection/id | sync object identifier (unique object ID) | |
| GET /storage/collection | optional parameters for filtering the query | (see the API) |
Communication with Android System Storage
Android System Storage is used as a database for keeping various bits of browser data. It is a common database used by multiple applications.
| Direction | Message | Data | Notes |
|---|---|---|---|
| In: | getData | browser data object | (bookmark, history item, form data, password, etc) |
| Out: | storeData | browser data object | (bookmark, history item, form data, password, etc) |
Sync Service (external)
This (external) component provides synchronization services for Firefox. The data on the server is kept encrypted, and synchronized with Firefox on mobile and desktop. For the purpose of this review, this Sync Service is a data provider for Firefox Mobile.
Stored Data:
The data stored in the Sync Service are all encrypted with a key that is not available to the service (it is kept on the clients).
| What | Where |
|---|---|
| bookmarks, history, passwords, form fill data | Mozilla sync server |
Communication with Firefox Mobile
(See above section on Firefox Mobile for details of communication)
Android System Storage (external)
The Android System Storage is a common database in the Android OS. All apps given access to this storage have the ability to read/write things like browser history and bookmarks. Firefox on Android will use this storage service to keep in sync with the default browser on the device (as well as any other apps that consume or create this data).
Stored Data:
There's lots of data in this (third party) system, but for our purposes it will be storing browser data. This data is automatically accessible by the system default browser (and other apps) and synchronized with the phone's owner's google account.
| What | Where |
|---|---|
| bookmarks, history, passwords, form fill data | On device, potentially synced to the cloud via google account and other apps. |
Communication with Firefox Mobile
(See above Firefox Mobile section for details)
User Data Risk Minimization
In this section, areas of user data risk are identified and recommendations made for minimizing the risk.
Unintended Dissemination of User Data
The Risk is the possibility of syncing user data to Google or other third party services unexpectedly or undesirably to the user, via storing bookmarks, history, etc in the Android system store. The third party services mentioned here are those connected to the users' phones by installing apps that access the system store -- one of which is Google (sync).
Requirement: There must be explicit messaging that users may need to take action to opt out of having their Firefox for Android data synced to Google or other third parties. (If they have their phone configured to sync data to Google, which many users will - the change to using system storage and its implications must be communicated loudly and clearly to avoid user surprise).
Recommendation: Provide an option to store data separate from the globally accessed store. When enabled, this feature would not use the global system services to store history, bookmarks, and passwords but instead hide them from the rest of the phone and discourage cross-app data sharing on the device. Consider this separate data store as the default storage for Firefox for Android and have users opt in to using system storage.
Update and Profile Data Migration
The Risk is that when users are updated to the new version from a version of Firefox that did not use the system storage service, their data will be copied unintuitively into the shared system databases without the user's knowledge or consent.
Requirement: Any migration of data must be explicitly authorized by the user via consent dialog. ("Would you like to transfer your sync bookmarks into the system DB? If you do this, X and Y will happen. [Yes] [No]")
Recommendation: Migration should not happen automatically. Updating to the new version of Firefox should create a clean profile. Consider offering users a way to pull in their data from Sync, giving information about the potential side-effects of doing this in whatever disclosure explains how to do it.
Alignment with Privacy Operating Principles
In this section, the privacy champion will identify how the feature lines up with Mozilla's privacy operating principles.
See Also: Privacy/Roadmap_2011#Operating_Principles:
Principle: Transparency / No Surprises
Users are going to be upgraded from the previous release of Firefox to the Native UI/Birch release. If they have enabled Google sync, their data will automatically begin accumulating in a way that is archived by Google Sync. Users may potentially be using Firefox to avoid using this shared system storage, and this change may surprise them.
Additionally, it may happen that users will sync their Firefox data from Mozilla Sync, this data would then be stored in the system store and then possibly synced to Google - breaking expectations of where and how sync'd data is shared.
Requirement: Disclose this switch to Android System Storage to users who may not want to share their bookmarks and history outside of Firefox or Firefox Sync.
Recommendation: Provide an option to store data apart from the global store. That is, do not use the global system services to store history, bookmarks, and passwords. But instead, hide them from the rest of the phone and discourage data sharing on the device. Have users opt-in to using the system storage and syncing to Google if that's what they want.
Principle: Real Choice
In the initial shipping version of Firefox for Android, there is no option to store history and bookmarks outside or isolated from Android system storage. (There are plans to add this functionality after the initial release).
Recommendation: Provide an option to store data apart from the global store. (See above).
Principle: Sensible Defaults
Opting users in to using the system database on upgrade to the Native UI version of Firefox for Android is a sizable change from previous version of Firefox for Android. While it makes sense to default to the Android System Storage
Requirement: Disclose this change in behavior to our users, and do not migrate their old profile data automatically. (See above).
Principle: Limited Data
Mozilla itself will not collect additional data in the Native UI version of Firefox for Android. Mozilla Sync will continue to be opt in and configurable by the user. No actions needed for this principle.
Follow-up Tasks and tracking
| What | Who | Bug | Details |
|---|---|---|---|
| [DONE] Initial Overview Discussion | Doug, Ian, Sid | Brief "hallway" chat. | |
| [DONE] public call for comments | Sid | 7-Dec-2011 - post to dev.planning for input | |
| [NEW] discuss recommendations with team | Sid / Ian / Mobile team | 14-Dec or so | |
| [ON TRACK] implement separate (local) bookmark/history DBs for access by only Mozilla apps | Mobile team | bug 704490 | TBD |
| [NEW] default to local DBs for bookmarks and history, allow users to enable system storage | Mobile team | TBD | |
| [NEW] implement opt-in migration path for sync data to local or system dbs | Mobile team | TBD |
