Firefox is beyond hope in terms of hardening due to all the undefined behavior incompatible with mitigations, but in this case they're taking things even further and blocking improvements to the OS. They are literally overwriting a portion of libc with their hard-wired code...
Conversation
I love how they even go out of the way to provide their own sigaltstack without a guard page, even though the base system already provides one with a guard page:
github.com/mozilla/gecko-
The code all insanity:
github.com/mozilla/gecko-
It comes up as an issue again and again.
1
1
3
Oh, and since they load it like this, their code ends up as dirty pages in memory instead of having on-demand paging from shared objects on the filesystem either in the apk (uncompressed) or in the directory of automatically extracted libraries / executables (compressed in apk).
1
1
Transmission of an apk is compressed so having a library uncompressed in the apk like Chromium doesn't waste bandwidth. The apk uses a bit more space on the device, but less than having it both compressed in the apk and extracted alongside it. Firefox's design choice is terrible.
1
1
Firefox (fennec) is in semi-maintenance mode -- you should check to see whether Fenix has the same behavior and report it as an issue if so.
github.com/mozilla-mobile
tools.taskcluster.net/index/project.
2
1
2
Is this still Firefox but just replacing the mobile integration with something new?
2
It throws away their Android app code and replaces it with a more modern codebase written in Kotlin without bad legacy decisions. It uses Gecko via a new modular library aimed at offering an alternative to the Android WebView.
wiki.mozilla.org/Mobile/GeckoVi
1
1
Not so sure "Because GeckoView is a standalone library that you bundle with your application, you can be confident that the code you test is the code that will actually run." is a feature though. Automatic WebView updates without app involvement + always on sandbox is great.
2
I'd say having webview at all is a misfeature. Non-browser apps should never be embedding browsers; this should be grounds for ban from store. It's essentially phishing for credentials.
1
Most Android browsers are WebView frontends. Firefox's own Focus browser started out as one, but now they're moving to using GeckoView as a replacement for the WebView primarily as a dogfooding thing. The WebView itself isn't really a browser, just a web rendering engine though.
Each app's usage is a separate instance. It's usually a shortcut to cut costs by avoiding the development of a proper native app. Instead, they reuse web development work for portions of the app on both Android and iOS. There are whole app development frameworks built on it.
2
A use case that I had for it was to build a PDF Viewer leveraging the hardened Chromium rendering stack. It has a fully static set of code and style properties (enforced by CSP), so RCE would need to happen via the small subset of the browser rendering engine within the sandbox.
1
1
Show replies