Mozilla is set to add a feature to its mobile Firefox OS that will give users the ability to revoke any application’s permissions on a granular basis.
Firefox OS is the open source operating system that Mozilla built for smartphones. The software runs on a variety of devices from manufacturers such as Alcatel, ZTE and LG. The devices mainly are available outside of the United States, although there’s at least one Firefox OS phone sold in the U.S. The operating system is meant to be flexible and includes many of the security and privacy features that Mozilla has built into the Firefox browser over the years, namely support for Do Not Track.
One of the features of Firefox OS is an app permission function that enables users to decide what behaviors they want to allow for a given app. So a user will get a prompt when an app is attempting to perform a certain kind of action and then decide whether to allow it.
“The security model of Firefox OS is based on contextual prompts. So for APIs that are understandable and human meaningful like geolocation, using the camera or recording audio the OS will prompt the user. You can save & remember these choices and later revisit them in the Settings app under ‘App Permissions’. You may set them to Allow, Prompt, or Deny,” said Frederik Braun, a Mozilla security engineer.
For more technical users, Mozilla is adding a new setting that will enable them to see more specific information about app permissions and make more informed decisions about the way that apps behave on the phone.
“Starting with Firefox 2.1, you may activate the developer settings and tick the checkbox near ‘Verbose App Permissions’. The typical list in the Settings app will then show you all the permissions an app has and allows you to set them to Allow, Prompt or Deny. This feature, however, only targets the Privileged apps. These are apps that come through the Marketplace. For now, we can not revoke permissions for the built-in apps (the permission set() call throws),” Braun said.
The behavior of mobile apps can be opaque a lot of the time, and users often will simply allow apps to have whatever permissions they request, just for convenience or expediency. This change in Firefox OS will give users better visibility into what’s going on under the covers with app permissions, but Braun warned that it may have some unintended consequences.
“Beware that you may break the app that you wish to contain – just because it is not designed to cope with failure. Some APIs are designed with an asynchronous request/response pattern. These will likely work fine and not throw an unrecoverable exception. But it still means that the developer has had to set an error handler, or the app might be indefinitely stuck in a waiting state,” he said.