Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Android: Camera remains active even when the phone is locked (bugzilla.mozilla.org)
209 points by kkm 10 months ago | hide | past | favorite | 110 comments

For a user to be affected by this they woul need to:

* They would need to visit a website using webrtc

* Grant Firefox the Android camera/microphone permissions

* They would then be prompted to allow the website access to the camera and microphone

* For this to be a persistent problem the user would need to check a box that says "Remember my decision for this site" this is unchecked by default in the above dialog

As comments here and in the bug there are cases where leaving the camera active is useful so this is not as cut and dry as the title leads you to believe.

Sorry but you make it sound like its four independent actions which lowers the overall probability. While in reality this whole sequence of actions is a very common thing for a user to do.

> you make it sound like ... lowers the overall probability

I think that depends on whether you interpret the comment as trying to mitigate the perceived magnitude of the issue, or provide clear and concise information on what the issue entails.

I read it more as a "here's what the preconditions are, and there's some question as to whether the issue is actually a bug or not", and not "you have to do this for it to be a problem, so it's less bad than you think", so the wording didn't seem problematic at all to me.

It's not "preconditions." It's one condition. That the user wants to visit a website that uses the camera. The rest are details of that one condition. He might as well have said things like "turn on phone" "install the firefox app" "short-press the firefox icon" (to launch it).

FWIW based on how it was written I interpreted it as the latter "you have to do this for it to be a problem, so it's less bad than you think", so glad you clarified that wasn't your intent.

To be clear, I didn't write that comment. I don't blame you for thinking that though, I actually almost added a postscript immediately after I commented to note that I wasn't the original commenter since the usernames looked similar, but figured I would just let it go and respond/edit if someone made the mistake. :)

I hope someone has a stat on how many HN replies are by third parties. Now breakdown by hamming distance of usernames from GP :) :)

I think the bigger story is that this is possible for an app to do at all on Android, in a way such that the user might not realize it can happen/is happening.

I think it should be possible, but should be very obvious to the user when an app is doing this (and should require extra permission to be granted).

Consider that I might want to record an encounter with law enforcement on the sly, and also want to keep my phone locked to make it harder to tamper with if it's seized.

Regardless, an app like Firefox should not be doing this, or even offer it as an option. There are certainly legitimate use cases even for Firefox, but I think with a web browser there's too much possibility for abuse and security/privacy issues to make it worth it.

> I think it should be possible, but should be very obvious to the user when an app is doing this (and should require extra permission to be granted).

I disagree with the permission part, I hate how everyone's solution to any problem is to just add a toggle or another level of complexity to the app.

But the solution to the first part is easy and something that already exists all over Android. Simply have a persistent notification saying "The camera is currently active" which can't be dismissed until the camera is turned off. This is used in newer version of Android for any background task doing non-trivial work, really.

> Regardless, an app like Firefox should not be doing this, or even offer it as an option.

Why shouldn't I be able to use a website called imgettingpulledover.com on Firefox instead of an app to do the same thing that you just described?

EDIT: posted this before the edit, edited version makes sense.

I agree. What does iOS do about this? Does it just not allow locked phones access to the camera, or provide a prompt at lock, or something else?

If there's an active call, which allows recording while in the background there's always a red bar at the top of the screen while the phone is recording.

If there's not, the app looses access to the camera while the app is backgrounded/the phone is locked.

I understand an app losing access to the camera in the background is a security feature. But, it is also really annoying when you want the person to see you while you’re doing something else on your screen.

One feature that’s been in the iPad for a few years and coming to the iPhone in the fall is picture in picture where a video call doesn’t take up the entire screen and as long as PIP is enabled, you can have your video call minimized and do something else.

I'm curious too. I assume it's better, but I don't know firsthand. I tried googling it and every result was about manually opening the Camera app from your lockscreen.

Some other comments here seem to indicate (at least in recent models?) that it's a visual indicator light on the phone that the camera/mic is being accessed. That might be sufficient, although I might also like a small audio cue on lock (or camera engage/disengage while locked).

Unfortunately, I doubt Android will ever be able to rely on a separate visual indicator of recording, since that's another hardware component and probably hard (if not impossible) for Android to enforce.

This seems like an area where regulations would be helpful. All persistently internet connected mobile devices with cameras must have one hardware activated status LED per camera, visible to the user. Same should go for microphones actually.

The visual indicator is only in beta right now, but it will be coming to all iPhones 6s and newer in the fall.

I remember in the old Nokia days and early android days when the camera shutter sound couldn’t be disabled (peeping Tom rules) adding an indicator similar to what webcams have could be possible heck you could potentially use the flash LED on its lowest setting.

Some phones don't have such fine grained control over the flash, in my case (Galaxy Note 10+) it still is like a flashbang.

Also not an iOS developer, but I think that apps enter a “suspended” stage when you close them or press the power button to save battery life. If you look at apps’ crash logs, you can see that they are occasionally killed by a system process for using too much CPU or other resources when they’re in the background.

There are definitely constraints on background activity, but I don't know for sure whether that applies to the camera, and I don't know what its precise relation is to the screen being locked

Even the Apple Watch remote camera app asks you to unlock the phone first so it seems like it’s not possible.

You are hit with popups asking for permission.

Android phones that have LEDs should activate the LED whenever the camera is active so that people are aware it is on (especially the front-facing camera). Much like how MBPs do it.

The problem is that a lot of modern ones do not. My past 4 or 5 Android phones did not have LEDs. My second to last, a Oneplus 7T Pro had a pop-up camera which was great for knowing when something was accessing camera without your knowledge (it happened a few times). I'm now on a Oneplus 8 Pro and no popup and no LED so it's a step back in that regard.

We really need hardware LED indicators for phone cameras.

Honestly it does not matter how many conditions need to be met, there is simply no reason for a web browser to be able to do this under any circumstance.

You might argue about a video surveillance app which you install and which you explicitly grant the permission of filming while the lock screen is on, for example with an old device which you want to use as a security camera, but that is a completely different use case.

So regular Google Hangouts / Meet and Jitsi Meet users then?


Mozilla does not have the negative motivations to enact user-unfriendly and/or privacy compromising features on purpose nor for profit. They have a lot more goodwill stocked-up (not infinite, though) than Google when it comes to the users' interests, as well. Lastly, Mozilla is the traditional underdog.

For these reasons and I'm sure many more, it should not be surprising that the geek-, security-, and privacy-oriented HN crowd has more positive assumptions about Mozilla than Google.

Only somewhat related but I have a phone where the front camera mechanically pops up when it's used. I've noticed that by default, when I visit many websites, without notification the camera pops up and down quickly. After every Firefox update, I have to go into android settings and deny camera permissions. I've just assumed a page attempts to access the camera via JS but I'm not sure, it could also just be a bug in FF.

That is a separate issue which is fixed in Firefox Beta as part of bug 1578073.

I think a bunch of websites try to access the camera's metadata as a part of a fingerprinting mechanism. That's probably what you're seeing.

I thought so too, Xiaomi Mi 9T here with a popup camera mechanism. But then again, wouldn't the website have to ask for camera permissions? Or is there some permission-less approach like the one for evaluating MIDI devices which is used for fingerprinting?

Yes this is ad network fingerpriting using navigator.mediaDevices.enumerateDevices(). [1] When called without permission it would return something like

> videoinput: id = csO9c0YpAf274OuCPUA53CNE0YHlIr2yXCi+SqfBZZ8=

> audioinput: id = RKxXByjnabbADGQNNZqLVLdmXlS0YkETYCIbg+XxnvM=

> audioinput: id = r2/xw1xUPIyZunfV1lGrKOma5wTOvCkWfZ368XCndm0=

and if the user has allowed access to the camera/mic

> videoinput: FaceTime HD Camera (Built-in) id=csO9c0YpAf274OuCPUA53CNE0YHlIr2yXCi+SqfBZZ8=

> audioinput: default (Built-in Microphone) id=RKxXByjnabbADGQNNZqLVLdmXlS0YkETYCIbg+XxnvM=

> audioinput: Built-in Microphone id=r2/xw1xUPIyZunfV1lGrKOma5wTOvCkWfZ368XCndm0=

[1] https://developer.mozilla.org/en-US/docs/Web/API/MediaDevice...

Thanks for this, seems to confirm my suspicions. The camera popup happened quite often on Glassdoor, which I remember once blocking me for some time after I blocked their canvas fingerprinting attempts. Just checked and that seems to no longer be there.

Disappointing state of affairs overall.

It's actually great to have a physical confirmation that such a fingerprint is being generated. This so called cookie-less tracking is not legal in some parts of the world because it bypasses consent which needs to be legally obtained.

It doesn't look too fingerprintable. The ids seems to change once you closed all the tabs belonging to a site (on firefox), on on reload (chromium) so the max they can fingerprint is how many devices of each type you have.

the site I used to test: https://browserleaks.com/webrtc

Number and type of devices are still useful for fingerprinting when combined with other sources of information.

That's how modern fingerprinting tends to work. A few bits here, a few bits there, all combined.

That’s what I thought too as soon as I saw the title of this thread.

My telco uses a heavily obfuscated script where all the variables are just a bunch of hex that uses every conceivable fingerprint technique in the book.

Shockwave Flash, remote fonts, WebRTC, Silverlight, vector graphics, HTML5 cookies, hardware fingerprinting etc.

Having a mechanism to override built in JS functions would be great fun.

AFAIK you can already do that using content scripts that execute at document_start. A lot of anti-fingerprinting scripts use this already.

Thanks for the tip, I did not know that.

What phone do you use?

OnePlus 7 Pro

Same here, with the same observed behavior.

Since Covid19 I've been using Jitsi a lot. I gave the same "chatroom" to my parents and parents in law, as a way to speak to the kids. Then at some point I'm getting a message from my father saying they can hear my parents in law speak from their living room in our Jitsi room. It turns out the app does not hang up when moving to another app. So they probably spend a couple of days streaming... No idea if others visited the room, it has a rather unique but not very long name and no password... I know one should hang up, but, keeping a video+audio stream alive in the background should also lead to some warning imho. Btw, this was the iPad Jitsi app keeping the connection alive, not the website.

Pretty sure all video apps on iOS do this? Normally the status bar changes to put a coloured pill around the time.

WhatsApp, FaceTime, and Zoom do this but they will pause video while in the background.

Personally I would be annoyed if calls were killed while swapping to other apps.

True, it's nice that it can continue. A warning after some time would be nice though.

That's a reasonable concern - I'd recommend searching for existing threads at https://github.com/jitsi/jitsi-meet/issues related to 'iOS' 'background' and any other terms, and raising an issue if none exists.

The Jitsi team is pretty responsive on GitHub, and this sounds like the kind of issue that might be a good self-contained task for someone to work on.

The app could probably benefit from a "are you still there?" type message when the app has been in the background for an hour. Alternatively, there should be a way to "host" a meeting, similar to in Zoom, which gives you the option to end the meeting for everyone.

This could be desirable behavior in some circumstances, e.g. recording video where someone might seize the device and try to stop the recording, or snoop through the device while it's unlocked.

This! I once was in a car accident and wanted to record the conversation, I started recording, locked phone and put it into my pocket. camera app stopped recording when screen was locked, edge case but really unexpected one for me.

Web browser shouldn't be doing it tho.

If a site is granted access to the camera, and the OS lets other camera apps continue while locked, it makes sense for the browser to at least provide the option of keeping the camera on while locked. Otherwise it just hinders sites from providing live streaming/backup services entirely through the browser without installing yet another app.

Wow, I didn't know this. I just tried with iOS 14 beta and was surprised to see video/audio recording stop as soon as I hit the button to lock the screen.

By the way: You might want to try recording something while walking around with your phone in your pocket. My guess is that your clothing will muffle sound. Any movement will cause fabric to rub against the phone, drowning out the sound you actually want to record. Even if your tactic did work, I'm not sure it would have captured much of the conversation.

>By the way: You might want to try recording something while walking around with your phone in your pocket. My guess is that your clothing will muffle sound.

Many android phones detect being in pocket and lock screen automatically to prevent accidental touches.

I think it works the other way: display won't turn on if something is blocking the proximity sensor, so you won't accidentally dial someone, but if I place the phone in pocket while the display is on, it stays on.

> Web browser shouldn't be doing it tho.


An app which requests the appropriate permissions and gets them granted is really welcome to display this behavior, but not a web browser.

How is a web browser app asking for OS permissions different to any other app?

Through the Android permissions system, I can block Firefox accessing my camera or microphone. I do sometimes want Firefox to have access to those things, so I temporarily allow the permissions.

On an iPhone, this is what the Voice Memos app is for (and works with the screen off). If you have an Android then I have no idea.

Seems not a bug: you may want this behavior, and the proper way to stop recording is to close the website or the app, not locking your phone.

Yeah, I can see a definite need for this behavior, it would be nice if android required separate permission to access mic & camera while the screen is locked; if firefox additionally requested that permission per-site.

Sure some may want this behavior, but I think most will not: it's unexpected.

I think it's probably more complex than that. It's either unexpected or expected depending on what you're trying to do, as shown by the cases mentioned here in the comments. You want to record something but you want your phone in your pocket (and locked, so you don't accidentally touch something). You want to use it as a baby monitor for a room. Your in a conference meeting call but in your car without a charger, so would prefer to not waste battery on the screen. Those are all cases where if you were were actively using the camera and locked the phone, you might reasonably expect the camera to continue working as it seems a use case people would have.

At the same time, there's the desire to know that when your phone is not in active use (i.e. locked) it's not recording you.

I think this is a textbook case of where our expectations are contextual, and conflicting. A naive adherence to one expectation or the other will leave people unhappy. Perhaps then, a less naive behavior (prompting on lock, a visual indicator of any recording, etc) is sufficient.

There is a visual indicator Firefox provides an Android notification that appears when the camera and/or the mic is in use.

By visual indicator, I specifically mean a visual indicator that showed when your phone is locked, and the screen may be off (like an LED, as iOS is apparently enabling). To be clear, that's not only not an app's responsibility, and in fact it should not be something an app can change at all, so I don't really think Firefox should worry about changing how it indicates this.

Because part of this has to do with security/privacy and at the device level, this is really something Android needs to tackle. None of the solutions I proposed are really appropriate for an application, since that would imply an application has control over them, and they are useful only if an application can't change them so you can have assurance they work as expected.

This is less an issue of trusting Firefox, which I do (for the most part, but it does have a large security surface to be aware of since it runs remote code), and more an issue of trusting something like Zoom or Tik Tok, which I don't really.

I wish there was a hardwired led indicator, one for mic and one for camera.

When not in use neither the mic nor the camera would get power and the leds tied to the same power connection. If they're on, you know they're on.

Yeah for "ok google" or whatever service it would be on all the time, but you'd know.

A physical switch to cut power would be nice too.

I know there are likely some software complications such as checking 'hey does the camera work / is it there' but maybe that's more of a symptom of a problem.

Apple is doing this now in iOS 14 - not quite hardwired but their OS is so controlled it's nearly the same thing. I doubt an app can bypass it. https://9to5mac.com/2020/07/07/ios-14-what-do-the-orange-and...

On Android you have the pop-up phones of course! Sadly they are super heavy... I was checking the Poco F2 last weekend and it's > 200 grams which is really a lot. Great for privacy though (and I really don't care about the front cam much anyway).

Wow that’s awesome, I have an app installed on my MacBook that pops up something when the mic is in use and it’s a great addition.

Edit: Oops you were talking about the mic, not the cam.. So the green light I spoke of doesn't apply.

I wouldn't be surprised if this feature came to Big Sur too though! But the current beta doesn't have it.

A microphone is a passive component, it doesn't need power. If you plug it into your headphones jack, it turns into a speaker. The indicator you want would be controlled by firmware or operating system, or by a physical switch, not by a common path to the microphone.

Please keep this as an _option_. The current lack of having background video streaming prevents me from using my old androids as dashboard AND a network camera, even though they have the capacity to be both.

Relevant/obligatory xkcd: https://xkcd.com/1172/

On the subject, I would really prefer this to be an option as well, even with the default being not the current default, however I see that there is a general trend of removing a lot of fine tuning knobs in apps (android or otherwise) in the sake of reducing complexity for the end-user.

This is the behavior I expect and desire from my phone. Locking the screen should not suddenly end my video call. To end my video call, I should press the 'end call' button. I can think of scenarios where I would want my phone to record without showing any notice at all (some people have mentioned law enforcement interactions, I think this is a good example of such a situation).

This could (maybe even should) be handled by Android permissions itself e.g allow app to be access camera when screen is off or locked. But this has been inactive mostly inactive for a year, which shows where priorities lie.

Doesn't Android require the camera permissions in order to use the microphone? I mean, it makes sense to keep a webrtc connection alive even if you lock the screen (if you're on a voip ball for example)

I don't see why microphone should require camera access. I can think of a few scenarios that need the former and not the latter.

What about a voice calling app that doesn't have video calling support?

What about a sound recorder, voice recorder, music capture or PTT/walkie-talkie app?

What about something like Shazam?

This is why I still use [bouncer] despite the fact that it's roughly been replaced by Android's new only-while-app-is-running style permission.

I have great* confidence the camera is off when, after hitting the home key, I actually see the permissions for the app switch off.

[bouncer]: https://play.google.com/store/apps/details?id=com.samruston....

Also, Firefox for Android has Google AdMob integration and uses firebase as a hosting service for some scripts.

I lately started to use Appwarden [1] to check some apps, and I'm amazed how messed up the App ecosystem is in terms of advertising trackers and abusive CDNs - even if you use only AOSP builds, no gapps, and only f-droid, you can get compromised very easily.

[1] https://gitlab.com/AuroraOSS/AppWarden


I remember that at some point it was possible to open a Youtube video in Firefox for Android, lock the screen, and it kept on playing. It was great for some podcast-like / talking channels.

Then either Firefox changed or Youtube cracked down on this.

As far as I know, Firefox still allows you to play video in the background from the lock screen. It's probably YouTube that changed (because they want you to pay them for the feature, because people use YouTube for background music).

You can keep it from pausing by requesting the desktop site in Firefox. The mobile site pauses, the desktop site just keeps playing.

Interesting. I tried it in Firefox for Android, and the desktop site plays for a couple of seconds after screen lock and then stops. It might depend on the video.

It probably also depends on the power saving settings your phone enforces. From what I've seen from DontKillMyApp[0] the optimalizations vary widely per manufacturer and probably per device and ROM as well.

I don't think the websites cares much, at least it didn't for me and I tested it with a music video (something Youtube usually doesn't like you playing in the background without a subscription). Your phone's settings and optimizations are a more likely culprit, in my opinion.

[0]: https://dontkillmyapp.com/

It used to work if you were using m.youtube.com. not anymore, sadly. However, NewPipe allows you to do the same thing and is available on f-droid

Ok, but why is this up to the browser? If it was any other app, how can users be protected? Shouldn't this be enforced by the hardware ideally?

Interesting, but why is this possible in the first place on Android?

Because I might still want to record things with my screen off?

Imagine you are recording a video, and you turn of the screen to save power - why would you expect it to stop recording?

Meh.. If I was in a video chat and my phone locked i wouldnt want it to get discconected

wow that is really bad, I am increasingly loosing fate in Firefox and I have been using it since v1.0

I'm sure this wasn't intentional though. It doesn't even benefit them in any way. It's not as if they were doing it to steal information. It's just a bug, at least it's known now and they'll fix it.

assuming the NSA isn't behind it and cutting them a check

Yes, the company that laid off 7% of its workforce back in January and still has people on edge about pay cuts and layoffs is secretly rolling in the NSA dough. Makes perfect sense.

That's well into tinfoil hat territory unless you have some proof of this.

Not Mozilla, but there's plenty of proof for other big tech companies, including Google.


The NSA didn't cut those companies a check. As the slides very clearly show, PRISM is an integration program between the NSA and the FBI to consume the data that the FBI already gets from issuing wiretap requests for specific users.

But this is about Mozilla, which is not all like the other big tech companies. They've definitely made some mistakes but I'd pause for a long time before accusing them of malice at that level.

How are they different?

Many contributors are volunteer, not under mozilla payroll. I doubt they would stay quiet if they notice something like this happen.

very true, but is there even a way to even know how much money they get from the government? (With this black budget bullshit... Who introduced that concept anyways)

It is only a year old. I mean how high of a priority can it be to not send your camera when your phone is locked or when you send the app to the background?

> to the background

I absolutely want the Jitsi call to continue in the background while I quickly look up something in the calendar.

True but there's an app for that (that probably works better than doing it in the browser, otherwise why did they make it?): https://play.google.com/store/apps/details?id=org.jitsi.meet...

Though I have to admit I didn't try. I've only used it on the PC and Mac. I love Jitsi though, for some reason it's sooo much smoother video than MS Teams. Really adds a lot to the communication. I wish I could use it for work, but there it's Microsoft or nothing :P

Furthermore, how does the OS even make this possible?

Accidentally bumping the power button shouldn't kill a video I'm taking or a video conference I'm in.

The OS should block new uses of the camera if it's locked (sort of - face unlock obviously needs an exception), but killing existing ones seems rather aggressive and would create a new form of user hostility in relatively common situations.

Well for music, people may want to continue listening to music when their phones are off or the app is in the background.

For video I agree it doesn't make much sense, but in a web app world if you're recording video you may want to turn off the screen or do other things just like a computer. It should at least show you in the notification area.

i can think a scenario where the phone is acting as a sort of security camera. or you are using it as a replacement for web cam when you stream from your pc. etc. but i agree most of those are edge cases.

It's not as much of an edge case; spare (particularly, old) phones and tablets are used as DIY home security systems, baby monitors, etc.

And even edge cases should be supported. Maybe the default in Firefox should be to disable the camera when you lock your phone, but then it should have a setting to do otherwise, and it certainly shouldn't be rendered impossible by the OS (rather than, say, having a separate permission).

Heck even for video. Google is hammering youtube pro down my throat for the benefit of continuing pkaying while backgrounded

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact