Mozilla is set to add a feature to its mobile Firefox OS that will give users the ability to revoke any application’s permissions on a granular basis.

Firefox OS is the open source operating system that Mozilla built for smartphones. The software runs on a variety of devices from manufacturers such as Alcatel, ZTE and LG. The devices mainly are available outside of the United States, although there’s at least one Firefox OS phone sold in the U.S. The operating system is meant to be flexible and includes many of the security and privacy features that Mozilla has built into the Firefox browser over the years, namely support for Do Not Track.

One of the features of Firefox OS is an app permission function that enables users to decide what behaviors they want to allow for a given app. So a user will get a prompt when an app is attempting to perform a certain kind of action and then decide whether to allow it.

“The security model of Firefox OS is based on contextual prompts. So for APIs that are understandable and human meaningful like geolocation, using the camera or recording audio the OS will prompt the user. You can save & remember these choices and later revisit them in the Settings app under ‘App Permissions’. You may set them to Allow, Prompt, or Deny,” said Frederik Braun, a Mozilla security engineer.

 For more technical users, Mozilla is adding a new setting that will enable them to see more specific information about app permissions  and make more informed decisions about the way that apps behave on the phone.

Mozilla is adding a new setting that will enable users to see more specific information about app permissions.

“Starting with Firefox 2.1, you may activate the developer settings and tick the checkbox near ‘Verbose App Permissions’. The typical list in the Settings app will then show you all the permissions an app has and allows you to set them to Allow, Prompt or Deny. This feature, however, only targets the Privileged apps. These are apps that come through the Marketplace. For now, we can not revoke permissions for the built-in apps (the permission set() call throws),” Braun said.

The behavior of mobile apps can be opaque a lot of the time, and users often will simply allow apps to have whatever permissions they request, just for convenience or expediency. This change in Firefox OS will give users better visibility into what’s going on under the covers with app permissions, but Braun warned that it may have some unintended consequences.

“Beware that you may break the app that you wish to contain – just because it is not designed to cope with failure. Some APIs are designed with an asynchronous request/response pattern. These will likely work fine and not throw an unrecoverable exception. But it still means that the developer has had to set an error handler, or the app might be indefinitely stuck in a waiting state,” he said.

Categories: Mobile Security, Privacy, Web Security

Comments (4)

  1. Chris
    1

    Sheesh, finally. Android’s disclosure of permissions is nice, but the only choice is to install the app or not. I hope this puts pressure on both Android and iOS (whose permissions system exists but has very few controllable items).

    Reply
    • Frederik
      3

      Firefox OS is currently incapable to control internet access on a per-app level. AFAIU this is a feature that *may* come in FirefoxOS 2.1. If this turns out implemented as a simple permission which denies to true for every app, the upcoming permission granularity would automagically apply.

      Reply
      • Daniel
        4

        Considering the trend that Google Play now don’t even disclose the Network permission anymore one could hope that FirefoxOS would go another route.

        On the other hand a web browser based might not even consider it until the end.

        Interesting, so far 2.1 does not mention internet permissions, where have you heard about the rumor that it might come?

        Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>