[guardian-dev] Orfox / Fennec browser build latest assessment

Nathan of Guardian nathan at guardianproject.info
Tue Apr 7 18:34:15 EDT 2015


Amogh got the latest Fennec code building, to get our Orfox effort
started again. I thought I would share some of his findings below.

*****

After going through the source code for firefox for andoroid which can
be found at http://hg.mozilla.org/mozilla-central/ , these were the
network related findings that I've made.
The application uses maily 3 layers to work.
1) The core layer, written in C++.
2) A JS layer with some more functional code.
3) A Java layer that makes uses the Android API's and other code used
for android.

Out of the 3 layers, 2 of them make network calls.
1) The C++ layer.
    There is an advantage of this layer making the network calls as all
    the calls made by this layer are proxied. They obey the fennec
    settings for proxy that has currently been set at
    mozilla-central/mobile/android/app/mobile.js . Hence, we do not need
    to bother about setting proxy to these connections and calls.

2) The Java layer.
    The Java code, the code run by android also has many network calls
    but the problem is that these calls are not done obeying the tor
    proxy and hence they are harmful.
    List of places where these calls are made are:
        a) any class which imports org.apache.* (commons.net.ftp.*,
        http.*):
            build/mobile/sutagent/android/DoCommand.java
            build/mobile/sutagent/android/SUTAgentAndroid.java
            mobile/android/base/distribution/Distribution.java
            mobile/android/base/favicons/LoadFaviconTask.java
            mobile/android/base/tests/BaseRobocopTest.java
        b) The browser also seems to be using another library for
        network communications and that lies at
        mobile/android/thirdparty/ch/boye/httpclientandroidlib
           This library seems to have proxy support but the calls made
           to this library have not been proxied, a list of those are
           here:
                mobile/android/base/background/bagheera/BagheeraClient.java
                mobile/android/base/background/bagheera/BagheeraRequestDelegate.java
                mobile/android/base/background/bagheera/BoundedByteArrayEntity.java
                mobile/android/base/background/bagheera/DeflateHelper.java
                mobile/android/base/background/fxa/FxAccountClient10.java
                mobile/android/base/background/fxa/FxAccountClient20.java
                mobile/android/base/background/fxa/FxAccountClientException.java
                mobile/android/base/background/fxa/SkewHandler.java
                mobile/android/base/background/fxa/oauth/FxAccountAbstractClient.java
                mobile/android/base/background/fxa/oauth/FxAccountAbstractClientException.java
                mobile/android/base/background/fxa/oauth/FxAccountOAuthClient10.java
                mobile/android/base/background/healthreport/upload/AndroidSubmissionClient.java 
                mobile/android/base/browserid/verifier/AbstractBrowserIDRemoteVerifierClient.java
                mobile/android/base/browserid/verifier/BrowserIDRemoteVerifierClient10.java
                mobile/android/base/sync/GlobalSession.java
                mobile/android/base/sync/jpake/JPakeClient.java
                mobile/android/base/sync/jpake/stage/DeleteChannel.java
                mobile/android/base/sync/jpake/stage/GetChannelStage.java
                mobile/android/base/sync/jpake/stage/GetRequestStage.java 
                mobile/android/base/sync/jpake/stage/PutRequestStage.java
                mobile/android/base/sync/net/AbstractBearerTokenAuthHeaderProvider.java
                mobile/android/base/sync/net/AuthHeaderProvider.java
                mobile/android/base/sync/net/BaseResource.java
                mobile/android/base/sync/net/BaseResourceDelegate.java
                mobile/android/base/sync/net/BasicAuthHeaderProvider.java
                mobile/android/base/sync/net/HMACAuthHeaderProvider.java
                mobile/android/base/sync/net/HawkAuthHeaderProvider.java
                mobile/android/base/sync/net/HttpResponseObserver.java
                mobile/android/base/sync/net/MozResponse.java    
                mobile/android/base/sync/net/Resource.java
                mobile/android/base/sync/net/ResourceDelegate.java
                mobile/android/base/sync/net/SyncResponse.java
                mobile/android/base/sync/net/SyncStorageCollectionRequest.java
                mobile/android/base/sync/net/SyncStorageRequest.java
                mobile/android/base/sync/net/SyncStorageResponse.java
                mobile/android/base/sync/net/TLSSocketFactory.java
                mobile/android/base/sync/repositories/Server11RepositorySession.java
                mobile/android/base/sync/setup/auth/AuthenticateAccountStage.java
                mobile/android/base/sync/setup/auth/EnsureUserExistenceStage.java
                mobile/android/base/sync/setup/auth/FetchUserNodeStage.java
                mobile/android/base/sync/stage/EnsureClusterURLStage.java
                mobile/android/base/sync/stage/SyncClientsEngineStage.java
                mobile/android/base/tokenserver/TokenServerClient.java
                mobile/android/tests/background/junit3/src/sync/TestUpgradeRequired.java

                This is the url for the query,
                https://dxr.mozilla.org/mozilla-central/search?q=ch.boye.httpclientandroidlib&case=false&offset=700
                NOTE:
                    Not all these classes make network calls, I will
                    make a shorter list of this in the next few days.


More information about the guardian-dev mailing list