1227011 - No prompt for creating/reading contact on Privileged App

Status: RESOLVED WONTFIX

(Firefox OS Graveyard :: Gaia::System, defect, P1)

Description

[Al Tsai [:atsai]]

Description:
While a privileged app tries to read/write contacts, there should be a prompt to user to ask for permission.

Test Environment:
*. You'll need a engineer build or install ui-test-privileged app manually
app: https://github.com/mozilla-b2g/gaia/tree/master/dev_apps/uitest-privileged

STR:
1. Launch UI-Test-Privileged App
2. Click "Contacts"
3. Select "Insert fake contacts"
4. Approve the prompt and start to install contacts

Expected Result:
3. A prompt for user to decide to insert contacts or not

Actual Result:
3. no prompt. start to insert contacts immediately

We should get it fix because it impacts user privacy.

https://developer.mozilla.org/en-US/Apps/Build/App_permissions

Comment 1

[Al Tsai [:atsai]]

Set it as a P1 critical issue since we should get this fix as soon as possible.

Comment 2

[Johan Lorenzo [:jlorenzo]]

This issue is present in 2.1[1] and 2.2[2]. Due to bug 1223956, I couldn't get the latest builds. 

However, we had a test[3] that led to a false positive (more details in bug 1219695 comment 2). The test landed back in 1.3 and it already forced the prompt to be displayed. I'm afraid we might have this issue since 1.3. My Buri is dead, so I can't check 1.3 or 1.2. Removing regressionwindow-wanted and adding QAwanted until we find out which branches are affected or not. 

:KTucker, do you have the resources to check 2.0 Flame, 1.4 Flame, 1.3 Buri and 1.2 Buri?

Also, this problem is likely a security hole => Restricting it to Mozilla's employees and cc'd contractors.


[1] Build ID               20150724001207
Gaia Revision          9dba58d18006e921546cec62c76074ce81e16518
Gaia Date              2015-07-23 12:36:57
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/41e10c6740be
Gecko Version          34.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150724.035246
Firmware Date          Fri Jul 24 03:52:57 EDT 2015
Bootloader             L1TC000118D0


[2] Build ID               20150810032504
Gaia Revision          102f1299e9eafe3760e1deb44d556b5c4f36b5af
Gaia Date              2015-08-06 20:46:56
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/da29b5af4232
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20150810.065425
Firmware Date          Mon Aug 10 06:54:37 EDT 2015
Bootloader             L1TC000118D0

[3] https://github.com/mozilla-b2g/gaia/tree/master/tests/python/gaia-ui-tests/gaiatest/tests/functional/system/test_privileged_app_contacts_prompt.py

Comment 3

[Johan Lorenzo [:jlorenzo]]

I just tried a real privilege app[1], it did ask me the rights to access my contacts. I wonder if that's not just the "UI tests - Privileged" app that behaves like a certified one? What do you think, Al? 

[1] https://marketplace.firefox.com/app/contact?src=search

Comment 4

[Al Tsai [:atsai]]

Could be. I don't have any idea about the root cause. ni? Ken to see if we can have some resources to dig in.

Comment 5

[Ken Chang[:kenkai]]

Hi Paul,
  Do you know if we have any change in permission check after 2.1?

Comment 6

[William Hsu [:whsu]]

Hi, Norry,

Can you assign a tester to do branch check?
Please use apps ([1] and [2]) to do a branch check on Aries user build.
Thank you.

[1] https://github.com/mozilla-b2g/gaia/tree/master/dev_apps/uitest-privileged (Install it via web IDE)
[2] https://marketplace.firefox.com/app/contact?src=search (Short URL: https://goo.gl/sNxm11)

Comment 7

[Norry.L.F(Leave from Mozilla)]

Hi Verson,

Could you have a check according to comment 6? thanks.

Comment 8

[Verson Xiong (Leave from Mozilla)]

Attachment: Arieskk.3gp

I can't use apps ([1] and [2]) to reproduce this issue on latest AriesKK v2.5 dogfood build & v2.6 user build by STR in comment 0.
Actually result:3. A prompt for user to decide to insert contacts or not.
Reproduce rate: 0/10
See Arieskk.3gp

Device: Aries KK v2.6 user(Unaffected)
Build ID               20151126173500
Gaia Revision          86959c405348d27ba5686956ae3a8ffc274d3db8
Gaia Date              2015-11-26 06:53:43
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/74c7941a9e22d50057800771ebae07f69deecc9f
Gecko Version          45.0a1
Device Name            aries
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.worker.20151126.165407
Firmware Date          Thu Nov 26 16:54:15 UTC 2015
Bootloader             s1

Device:Aries KK v2.5 dogfood (Unaffected)
Build ID               20151126113601
Gaia Revision          34ccc2c8f17b87a1fab95a4186b0019ec78c7f75
Gaia Date              2015-11-26 09:44:10
Gecko Revision         http://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/fbaba398bd98fd1837ef2fd7c13ed8ee69640cfb
Gecko Version          44.0a2
Device Name            aries
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.worker.20151126.104443
Firmware Date          Thu Nov 26 10:44:51 UTC 2015
Bootloader             s1

Comment 9

[Norry.L.F(Leave from Mozilla)]

Hi William,

According to comment 8, this bug can't be repro on v2.5 and master.

Comment 10

[Johan Lorenzo [:jlorenzo]]

(In reply to Verson Xiong from comment #8) 
> I can't use apps ([1] and [2]) to reproduce this issue on latest AriesKK
> v2.5 dogfood build & v2.6 user build by STR in comment 0.

This app is only present in engineering builds:
* Master: https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.b2g/gecko.v2.mozilla-central.latest.b2g.aries-eng-opt
* 2.5: https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-b2g44_v2_5.latest.b2g/gecko.v2.mozilla-b2g44_v2_5.latest.b2g.aries-eng-opt

Comment 11

[Johan Lorenzo [:jlorenzo]]

Based on bug 1219695 comment 1

Comment 12

[William Hsu [:whsu]]

(In reply to Johan Lorenzo [:jlorenzo] (QA) from comment #10)
> (In reply to Verson Xiong from comment #8) 
> > I can't use apps ([1] and [2]) to reproduce this issue on latest AriesKK
> > v2.5 dogfood build & v2.6 user build by STR in comment 0.
> 
> This app is only present in engineering builds:

You can clone the app and install it on user build by using WEB IDE.

Comment 13

[William Hsu [:whsu]]

If the app installs by using webIDE, the warning/prompt message popped up when user import contacts (as comment 8 mentioned). So, it seems to me that we need to figure out the root cause to see if it associates with certified app (As comment 3 mentioned).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi, Norry,

Could you assign a tester to do the same test on 2.2 branch?
I would like to compare the behavior of pre-installation and post-installation.
Please don't change the status flag because this is cross-comparison.

Comment 14

[Verson Xiong (Leave from Mozilla)]

Attachment: logcat_0427.txt

Hi willam,
I do the same test on lastest Flame v2.2 user & eng build,but I can't use apps [1](post-installation) and [2] to reproduce this issue,a overlay always popup to prompt user to decide to insert contacts or not.
Btw,when I use pre-installation one to test,I get same results as comment 0 ,no prompt will appear,please see Flamekk_v2.2_eng.3gp & logcat_eng_0427.txt
Reproduce rate: 0/10

See Flamekk_v2.2_user.3gp,Flamekk_v2.2_eng.3gp,logcat_eng_0427.txt
Device: FlameKK v2.2 user(post-installation -> Unaffected)
Build ID               20151130032503
Gaia Revision          885647d92208fb67574ced44004ab2f29d23cb45
Gaia Date              2015-10-07 13:05:24
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/4381c4b69b9c
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20151130.071422
Firmware Date          Mon Nov 30 07:14:34 EST 2015
Bootloader             L1TC000118D0

Device:FlameKK v2.2 eng (post-installation -> Unaffected)(pre-installation -> Affected)
Build ID               20151130032503
Gaia Revision          885647d92208fb67574ced44004ab2f29d23cb45
Gaia Date              2015-10-07 13:05:24
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/4381c4b69b9c
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20151130.085015
Firmware Date          Mon Nov 30 08:50:27 EST 2015
Bootloader             L1TC000118D0

Comment 15

[Verson Xiong (Leave from Mozilla)]

Attachment: Flamekk_v2.2_user.3gp

Comment 16

[Verson Xiong (Leave from Mozilla)]

Attachment: Flamekk_v2.2_eng.3gp

Comment 17

[William Hsu [:whsu]]

(In reply to Verson Xiong from comment #14)
> Created attachment 8693991 [details]
> logcat_0427.txt
> 
> Hi willam,
> I do the same test on lastest Flame v2.2 user & eng build,but I can't use
> apps [1](post-installation) and [2] to reproduce this issue,a overlay always
> popup to prompt user to decide to insert contacts or not.
> Btw,when I use pre-installation one to test,I get same results as comment 0
> ,no prompt will appear,please see Flamekk_v2.2_eng.3gp & logcat_eng_0427.txt
> Reproduce rate: 0/10
> 

It seems to me that the behavior of pre-installed app is different from post-installed app.
Thank you.

Comment 18

[Michael Henretty [:mikehenrty][:mhenretty]]

(In reply to William Hsu [:whsu] from comment #17)
> It seems to me that the behavior of pre-installed app is different from
> post-installed app.
> Thank you.

I think this was done on purpose in bug 1014410.

Comment 19

[Paul Theriault [:pauljt] (no longer reading bugmail)]

(In reply to Ken Chang[:ken] from comment #5)
> Hi Paul,
>   Do you know if we have any change in permission check after 2.1?

There was no change, but mike is correct. Pre-installed privileged apps are granted the certified level of permissions. (which for contacts is allow, https://mxr.mozilla.org/mozilla-central/source/dom/apps/PermissionsTable.jsm#74)

Comment 20

[Paul Theriault [:pauljt] (no longer reading bugmail)]

IE - the STR is invalid here, to test the 'real' behavior of privileged apps, you need to install that app, not pre-install it.

Comment 21

[BMO Automation]

Firefox OS is not being worked on