Revoke App Permissions on Firefox OS

On Firefox OS (FxOS), every app has its own set of permissions. The operating system makes sure that an app may only do things that are requested in the app manifest. Some of these permissions are always set to Ask. Sometimes just because the web platform is built this way. A common example is the geolocation permission:

geolocation prompt

There's also the Alarms API, for example. It allows applications to get opened at a specific time. There is nothing inherently bad with precise alarm functions that honor timezones (or not). But it is hard to know what the App will do with it. This gets exceedingly difficult to explain to users, especially when it comes to technical terms and features like the tcp-socket permission.

The security model of Firefox OS is based on contextual prompts. So for APIs that are understandable and human meaningful like geolocation, using the camera or recording audio the OS will prompt the user. You can save & remember these choices and later revisit them in the Settings app under "App Permissions". You may set them to Allow, Prompt, or Deny.

For simplicity's sake, all permissions default to something that the inventor's of these APIs deemed safe. For tcp-sockets and alarms this is Allow. For geolocation it's Prompt. If you want to know more about the default permission settings, the App Manager can show you how the table looks like for your phone. Here's an excerpt generated on my Flame device on FxOS 2.0:

permissions table

But what if you are tech savvy? What if you do want to revoke or be asked for permissions that are a bit hard to explain?

To bridge this gap and empower tech savvy & paranoid privacy enthusiasts, I have created a developer settings that shows a verbose app permissions list. It enhances the normal App Permissions panel of the Settings app.

Starting with Firefox 2.1, you may activate the developer settings and tick the checkbox near "Verbose App Permissions". The typical list in the Settings app will then show you all the permissions an app has and allows you to set them to Allow, Prompt or Deny. This feature, however, only targets the Privileged apps. These are apps that come through the Marketplace. For now, we can not revoke permissions for the built-in apps (the permission set() call throws).

Beware that you may break the app that you wish to contain - just because it is not designed to cope with failure. Some APIs are designed with an asynchronous request/response pattern. These will likely work fine and not throw an unrecoverable exception. But it still means that the developer has had to set an error handler, or the app might be indefinitely stuck in a waiting state.

Other posts

  1. Challenge Write-up: Subresource Integrity in Service Workers
  2. Finding the SqueezeBox Radio Default SSH Passwort
  3. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`)
  4. Firefox OS apps and beyond
  5. Teacher's Pinboard Write-up
  6. A CDN that can not XSS you: Using Subresource Integrity
  7. The Twitter Gazebo
  8. German Firefox 1.0 ad (OCR)
  9. My thoughts on Tor appliances
  10. Subresource Integrity
  11. Revoke App Permissions on Firefox OS
  12. (Self) XSS at Mozilla's internal Phonebook
  13. Tales of Python's Encoding
  14. On the X-Frame-Options Security Header
  15. html2dom
  16. Security Review: HTML sanitizer in Thunderbird
  17. Week 29 2013
  18. The First Post