Firefox Lockbox Now on Android, Keeping your Passwords Safe

Direct link - Archive link

The newest of Mozilla's security / privacy initiatives just got released for Android - a nice time to take a deeper look at it:

If you’re like most Firefox users, you have dozens if not hundreds of stored logins in your browser.

A bad security practice - https://www.bbva.com/en/internet-browsers-store-passwords-safely/ (archive)

When you use Firefox Accounts you get to take your logins on the web in Firefox Mobile.

An even worse one, since all the data is stored on Mozilla's servers. Anyway, what I really wanted to do here was to analyze if the Lockbox is as private as they claim. Fortunately, Mozilla has graciously provided us a simple document showing exactly what data is collected, so let's use it. From https://lockbox.firefox.com/privacy.html (archive):

Credential data. Your credentials are synced in encrypted form using Firefox Sync.

With unreliable, in-browser encryption, I might add.

Interaction data. Mozilla receives information about your interaction with Firefox Lockbox, including (1) frequency of editing, viewing, copying, and syncing credentials, (2) whether you are a new or existing Firefox Account user, (3) interactions with Firefox Lockbox menus and icons, (4) length of time the app is in background.

AKA tracking literally everything you do on the app. No different than the well-known trackers such as Google and Facebook which Mozilla proudly speaks against.

Technical data. We receive your device, operating system, version, and language preference. We also receive your IP address in connection with your usage of a Firefox Account.

Add to that all the data about your machine. Is there anything left to track? Sure is - from https://github.com/mozilla-lockbox/lockbox-android/blob/master/docs/metrics.md (archive), we learn that they track pretty much every move possible, including when you:

Tap a credential in the credential list [...] Copy a credential to the clipboard [...] Autofill a credential stored in Lockbox into another app [...] Sync their credentials from the Firefox desktop browser [...]

As well as general patterns from all the users combined. Nothing is left except the passwords themselves, then (but can we really trust their unreliable in-browser encryption?). As we can see, another one of Mozilla's so-called privacy initiatives fails the sniff test. And, of course, the title already contains the shady marketing Mozilla is famous for.

But let us go beyond shitty Mozillaware for now. Should we really be using "services" like these at all? Sure they are convenient, but at what cost? Convenience is one of the biggest diseases of the modern world - the lack of challenge / effort required stuns mental acuity IMO. Not that we should suffer unnecessarily - but is it really such a problem to actually remember all your passwords? You have a head for a reason and it's the only place out there that is truly secure (no one's going to crack your skull for the passwords ^_^). Often, the newfangled "convenient" solutions end up being worse over the long run than the old reliables. We can already see that with the "web frameworks" for example - no one can make a website directly in HTML / basic CSS anymore and we end up with a bloated, ugly mess which everyone now hates. This whole convenience issue requires a more thorough analysis though - subject for another article!

Back to the front page