Opened 5 weeks ago

Last modified 8 days ago

#33939 new task

Decide which components of Fenix to rip out, disable, or use

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, TorBrowserTeam202004
Cc: sysrqb, boklm Actual Points:
Parent ID: #33184 Points:
Reviewer: Sponsor: Sponsor58-must

Description

One thing we are struggling with when trying to write proper patches for building various parts of Fenix is that it's not clear yet which components we want to rip out/disable/use.

E.g. there are a number of things we might want to rip out of android-components (comment:4:ticket:33156) or maybe not, it's not clear. We have already a separate bug (#33594) to figure out what we should do with Glean.

So, in this ticket we should look over the various components involved and decide

a) which to rip (fully) out at build time
b) disable at run time

and document the reasoning (maybe that could be part of our release prep process documentation).

I think by default we should enable everything for usability reasons and disable potentially fingerprinting/tracking features where we don't have patches (yet) and rip out outright dangerous ones if we don't find a better solution. That's a similar method we follow for desktop audits.

Child Tickets

Change History (5)

comment:1 Changed 3 weeks ago by gk

Oh, and this is not just about ripping out/disabling things in android-components. We need to look at application-services, too, which android-components (and fenix) depend upon.

comment:2 Changed 13 days ago by sysrqb

Let's see. This is the initial pass over Fenix dependencies. It doesn't make any judgement about which features we should keep/disable/rip-out. It does not look at how these features are used within Fenix and which functionality within Fenix should be modified. These will come in later comments.

Based on Fenix (commit 3c29cb9f72cae1b3c425477750f718f912ff9b45) includes:
(git grep -n Deps\. | grep -o Deps\..*, and then manually filter out tests and duplicates, then resolving the aliases in buildSrc/src/main/java/Dependencies.kt)

# GeckoView
mozilla_browser_engine_gecko_nightly -> org.mozilla.components:browser-engine-gecko-nightly
mozilla_browser_engine_gecko_beta -> org.mozilla.components:browser-engine-gecko-beta

# Kotlin std library
kotlin_stdlib -> org.jetbrains.kotlin:kotlin-stdlib-jdk7

# Import/enable coroutine functionality in Kotlin
kotlin_coroutines -> org.jetbrains.kotlinx:kotlinx-coroutines-core
kotlin_coroutines_android -> org.jetbrains.kotlinx:kotlinx-coroutines-android

# AndroidX compatibility libraries
androidx_appcompat -> androidx.appcompat:appcompat
androidx_constraintlayout -> androidx.constraintlayout:constraintlayout
androidx_coordinatorlayout -> androidx.coordinatorlayout:coordinatorlayout

# Error/crash monitoring
sentry -> io.sentry:sentry-android

# Dynamically (?) creates license list
osslicenses_library -> com.google.android.gms:play-services-oss-licenses

# Customer engagement (with Firebase Cloud Messaging)
leanplum_core -> com.leanplum:leanplum-core
leanplum_fcm -> com.leanplum:leanplum-fcm

# High-level descriptions/contracts of a browser engine
mozilla_concept_engine -> org.mozilla.components:concept-engine

# High-level descriptions/contracts of a push service component
mozilla_concept_push -> org.mozilla.components:concept-push

# High-level descriptions/contracts of a storage layer
mozilla_concept_storage -> org.mozilla.components:concept-storage

# High-level descriptions/contracts of a data synchronization service component
mozilla_concept_sync -> org.mozilla.components:concept-sync

# High-level descriptions/contracts of a browser toolbar
mozilla_concept_toolbar -> org.mozilla.components:concept-toolbar

# High-level descriptions/contracts of a tabs tray component
mozilla_concept_tabstray -> org.mozilla.components:concept-tabstray

# A customizable Awesome Bar implementation for browsers
mozilla_browser_awesomebar -> org.mozilla.components:browser-awesomebar

# Feature implementation for apps that want to use Android downloads manager
mozilla_feature_downloads -> org.mozilla.components:feature-downloads

# APIs for managing localized and customizable domain lists
mozilla_browser_domains -> org.mozilla.components:browser-domains

# A customizable tabs tray for browsers implementation
mozilla_browser_tabstray -> org.mozilla.components:browser-tabstray

# An implementation for loading and storing website icons (like favicons)
mozilla_browser_icons -> org.mozilla.components:browser-icons

# A generic menu implementation with customizable items
mozilla_browser_menu -> org.mozilla.components:browser-menu

# Search plugins and companion code to load, parse and use them
mozilla_browser_search -> org.mozilla.components:browser-search

# A generic representation of a browser Session and a SessionManager to link browser sessions to underlying Engine Sessions and SessionStorage
mozilla_browser_session -> org.mozilla.components:browser-session

# Maintains the centralized state of a browser engine
mozilla_browser_state -> org.mozilla.components:browser-state

# A syncable implementation of `concept-storage` backed by application-services' Places lib
mozilla_browser_storage_sync -> org.mozilla.components:browser-storage-sync

# A customizable toolbar for browsers                                                                                                                                                                       
mozilla_browser_toolbar -> org.mozilla.components:browser-toolbar

# Contains building blocks for features implemented as web extensions
mozilla_support_extensions -> org.mozilla.components:support-webextensions

# Provides functionality for managing add-ons
mozilla_feature_addons -> org.mozilla.components:feature-addons

# Ties together an FxaAccountManager with the tabs feature, to facilitate OAuth authentication flows managed by the account manager
mozilla_feature_accounts -> org.mozilla.components:feature-accounts

# Support opening non-browser apps and `intent://` style URLs
mozilla_feature_app_links -> org.mozilla.components:feature-app-links

# Connects a concept-awesomebar implementation to a concept-toolbar implementation and provides implementations of various suggestion providers
mozilla_feature_awesomebar -> org.mozilla.components:feature-awesomebar

# Displaying context menus when *long-pressing* web content
mozilla_feature_contextmenu -> org.mozilla.components:feature-contextmenu

# Providing Custom Tabs functionality in browsers
mozilla_feature_customtabs -> org.mozilla.components:feature-customtabs

# Provides intent processing functionality by combining various other feature modules
mozilla_feature_intent -> org.mozilla.components:feature-intent

# Provides website media related features
mozilla_feature_media -> org.mozilla.components:feature-media

# Handles common prompt dialogs from web content like select, option and menu html elements
mozilla_feature_prompts -> org.mozilla.components:feature-prompts

# Implements push notifications with a supported push service
mozilla_feature_push -> org.mozilla.components:feature-push

# Implementation for Progressive Web Apps (PWA)
mozilla_feature_pwa -> org.mozilla.components:feature-pwa

# Provides functionality for scanning QR codes
mozilla_feature_qr -> org.mozilla.components:feature-qr

# Connects an (concept) engine implementation with the browser search module
mozilla_feature_search -> org.mozilla.components:feature-search

# Connects an (concept) engine implementation with the browser session module
mozilla_feature_session -> org.mozilla.components:feature-session

# Connects a (concept) toolbar implementation with the browser session module
mozilla_feature_toolbar -> org.mozilla.components:feature-toolbar

# Connects a trabs tray implementation with the session and toolbar modules
mozilla_feature_tabs -> org.mozilla.components:feature-tabs

# Provides Find in Page functionality
mozilla_feature_findinpage -> org.mozilla.components:feature-findinpage

# Shows site permission request prompts
mozilla_feature_site_permissions -> org.mozilla.components:feature-sitepermissions

# Wraps/Provides a Reader View WebExtension
mozilla_feature_readerview -> org.mozilla.components:feature-readerview

# Implementation for saving, restoring and organizing collections of tabs
mozilla_feature_tab_collections -> org.mozilla.components:feature-tab-collections

# Implementation for saving and removing top sites
mozilla_feature_top_sites -> org.mozilla.components:feature-top-sites

# Implementation for saving and sorting recent apps used for sharing
mozilla_feature_share -> org.mozilla.components:feature-share

# Sends tabs to other devices with a registered FxA Account
mozilla_feature_accounts_push -> org.mozilla.components:feature-accounts-push

# Website-hotfixing via the Web Compatibility System-Addon
mozilla_feature_webcompat -> org.mozilla.components:feature-webcompat                                                                                                                                       

# Displays web notifications
mozilla_feature_webnotifications -> org.mozilla.components:feature-webnotifications

# Integrating with Firefox Sync - Logins
mozilla_service_sync_logins -> org.mozilla.components:service-sync-logins

# Integrating with Firefox Accounts
mozilla_service_firefox_accounts -> org.mozilla.components:service-firefox-accounts

# Client-side telemetry SDK for collecting metrics and sending them to Mozilla's telemetry service
mozilla_service_glean -> org.mozilla.components:service-glean

# SDK for running experiments on user segments in multiple branches
mozilla_service_experiments -> org.mozilla.components:service-experiments

# Accessing Mozilla's and other location services
mozilla_service_location -> org.mozilla.components:service-location

# Base or core component containing building blocks and interfaces for other components
mozilla_support_base -> org.mozilla.components:support-base

# A set of (Mozilla) Kotlin extensions on top of the Android framework and Kotlin standard library
mozilla_support_ktx -> org.mozilla.components:support-ktx

# Enables logging from Rust code.
mozilla_support_rustlog -> org.mozilla.components:support-rustlog

# Generic utility classes to be shared between projects.
mozilla_support_utils -> org.mozilla.components:support-utils 

# Allow apps to change the system defined language by their custom one
mozilla_support_locale -> org.mozilla.components:support-locale

# Helper code to migrate from a Fennec-based (Firefox for Android) app to an Android Components based app
mozilla_support_migration -> org.mozilla.components:support-migration

# The standard set of Photon colors
mozilla_ui_colors -> org.mozilla.components:ui-colors

# A collection of often used browser icons.
mozilla_ui_icons -> org.mozilla.components:ui-icons

# A library for reading and using the Public Suffix List.
mozilla_ui_publicsuffixlist -> org.mozilla.components:lib-publicsuffixlist

# A generic crash reporter component that can report crashes to multiple services
mozilla_lib_crash -> org.mozilla.components:lib-crash

# A concept-push implementation using Firebase Cloud Messaging (FCM)
mozilla_lib_push_firebase -> org.mozilla.components:lib-push-firebase

# A component using AndroidKeyStore to protect user data
mozilla_lib_dataprotect -> org.mozilla.components:lib-dataprotect

# More AndroidX compatibility libraries
androidx_legacy -> androidx.legacy:legacy-support-v4
androidx_biometric -> androidx.biometric:biometric
androidx_paging -> androidx.paging:paging-runtime-ktx
androidx_preference -> androidx.preference:preference-ktx
androidx_fragment -> androidx.fragment:fragment-ktx
androidx_navigation_fragment -> androidx.navigation:navigation-fragment-ktx
androidx_navigation_ui -> androidx.navigation:navigation-ui
androidx_recyclerview -> androidx.recyclerview:recyclerview
androidx_lifecycle_livedata -> androidx.lifecycle:lifecycle-livedata-ktx
androidx_lifecycle_runtime -> androidx.lifecycle:lifecycle-runtime-ktx
androidx_lifecycle_viewmodel -> androidx.lifecycle:lifecycle-viewmodel-ktx
androidx_core -> androidx.core:core
androidx_core_ktx -> androidx.core:core-ktx
androidx_transition -> androidx.transition:transition                                                                                                                                                       
androidx_work_ktx -> androidx.work:work-runtime-ktx

# Material Components for Android
google_material -> com.google.android.material

# Provides similar capabilities of CSS Flexible Box Layout Module
google_flexbox -> com.google.android:flexbox

# Renders After Effects animations in real time
lottie -> com.airbnb.android:lottie

# Mobile measurement and fraud prevention (tracks app installation)
adjust -> com.adjust.sdk:adjust-android

# Install Referrer
installreferrer // Required by Adjust -> com.android.installreferrer:installreferrer

# Obtain the Google Advertising ID from the device for use as a unique telemetry identifier
google_ads_id // Required for the Google Advertising ID -> com.google.android.gms:play-services-ads-identifier

comment:3 in reply to:  2 Changed 13 days ago by sysrqb

The follow list partitions the dependencies into "include", "exclude", "disable", and "must-audit" sets

"Must Audit" includes dependencies that we could allow depending on their implementation

"Disable" includes dependencies that we probably do not want and we should always use "Dummy" implementations

"Disable" and "Exclude" may merge into a single set.

Include

> # GeckoView
> mozilla_browser_engine_gecko_nightly -> org.mozilla.components:browser-engine-gecko-nightly
> mozilla_browser_engine_gecko_beta -> org.mozilla.components:browser-engine-gecko-beta
> 
> # Kotlin std library
> kotlin_stdlib -> org.jetbrains.kotlin:kotlin-stdlib-jdk7
> 
> # Import/enable coroutine functionality in Kotlin
> kotlin_coroutines -> org.jetbrains.kotlinx:kotlinx-coroutines-core
> kotlin_coroutines_android -> org.jetbrains.kotlinx:kotlinx-coroutines-android
>
> # AndroidX compatibility libraries
> androidx_appcompat -> androidx.appcompat:appcompat 
> androidx_constraintlayout -> androidx.constraintlayout:constraintlayout
> androidx_coordinatorlayout -> androidx.coordinatorlayout:coordinatorlayout
> 
> # Dynamically (?) creates license list
> osslicenses_library -> com.google.android.gms:play-services-oss-licenses
> 
> # High-level descriptions/contracts of a browser engine
> mozilla_concept_engine -> org.mozilla.components:concept-engine
> 
> # High-level descriptions/contracts of a storage layer
> mozilla_concept_storage -> org.mozilla.components:concept-storage
>
> # High-level descriptions/contracts of a browser toolbar
> mozilla_concept_toolbar -> org.mozilla.components:concept-toolbar
> 
> # High-level descriptions/contracts of a tabs tray component
> mozilla_concept_tabstray -> org.mozilla.components:concept-tabstray
> 
> # A customizable Awesome Bar implementation for browsers
> mozilla_browser_awesomebar -> org.mozilla.components:browser-awesomebar
> 
> # APIs for managing localized and customizable domain lists
> mozilla_browser_domains -> org.mozilla.components:browser-domains
> 
> # A customizable tabs tray for browsers implementation
> mozilla_browser_tabstray -> org.mozilla.components:browser-tabstray
> 
> # A generic menu implementation with customizable items
> mozilla_browser_menu -> org.mozilla.components:browser-menu
>                                                                                                                                                                                                           
> # Search plugins and companion code to load, parse and use them
> mozilla_browser_search -> org.mozilla.components:browser-search
>
> # A generic representation of a browser Session and a SessionManager to link browser sessions to underlying Engine Sessions and SessionStorage
> mozilla_browser_session -> org.mozilla.components:browser-session
> 
> # A customizable toolbar for browsers
> mozilla_browser_toolbar -> org.mozilla.components:browser-toolbar
> 
> # Contains building blocks for features implemented as web extensions
> mozilla_support_extensions -> org.mozilla.components:support-webextensions
> 
> # Provides functionality for managing add-ons
> mozilla_feature_addons -> org.mozilla.components:feature-addons
> 
> # Ties together an FxaAccountManager with the tabs feature, to facilitate OAuth authentication flows managed by the account manager
> mozilla_feature_accounts -> org.mozilla.components:feature-accounts
> 
> # Connects a concept-awesomebar implementation to a concept-toolbar implementation and provides implementations of various suggestion providers
> mozilla_feature_awesomebar -> org.mozilla.components:feature-awesomebar
> 
> # Displaying context menus when *long-pressing* web content
> mozilla_feature_contextmenu -> org.mozilla.components:feature-contextmenu
>
> # Providing Custom Tabs functionality in browsers
> mozilla_feature_customtabs -> org.mozilla.components:feature-customtabs
> 
> # Provides website media related features
> mozilla_feature_media -> org.mozilla.components:feature-media
> 
> # Handles common prompt dialogs from web content like select, option and menu html elements
> mozilla_feature_prompts -> org.mozilla.components:feature-prompts
> 
> # Implementation for Progressive Web Apps (PWA)
> mozilla_feature_pwa -> org.mozilla.components:feature-pwa
> 
> # Connects an (concept) engine implementation with the browser search module
> mozilla_feature_search -> org.mozilla.components:feature-search
>                                                                                                                                                                                                           
> # Connects an (concept) engine implementation with the browser session module
> mozilla_feature_session -> org.mozilla.components:feature-session
>
> # Connects a (concept) toolbar implementation with the browser session module
> mozilla_feature_toolbar -> org.mozilla.components:feature-toolbar
> 
> # Connects a trabs tray implementation with the session and toolbar modules
> mozilla_feature_tabs -> org.mozilla.components:feature-tabs
> 
> # Provides Find in Page functionality
> mozilla_feature_findinpage -> org.mozilla.components:feature-findinpage
> 
> # Shows site permission request prompts
> mozilla_feature_site_permissions -> org.mozilla.components:feature-sitepermissions
> 
> # Wraps/Provides a Reader View WebExtension
> mozilla_feature_readerview -> org.mozilla.components:feature-readerview
> 
> # Implementation for saving, restoring and organizing collections of tabs
> mozilla_feature_tab_collections -> org.mozilla.components:feature-tab-collections
> 
> # Implementation for saving and removing top sites 
> mozilla_feature_top_sites -> org.mozilla.components:feature-top-sites
> 
> # Displays web notifications
> mozilla_feature_webnotifications -> org.mozilla.components:feature-webnotifications
> 
> # Base or core component containing building blocks and interfaces for other components
> mozilla_support_base -> org.mozilla.components:support-base
>
> # A set of (Mozilla) Kotlin extensions on top of the Android framework and Kotlin standard library
> mozilla_support_ktx -> org.mozilla.components:support-ktx
> 
> # Enables logging from Rust code.
> mozilla_support_rustlog -> org.mozilla.components:support-rustlog
> 
> # Generic utility classes to be shared between projects.
> mozilla_support_utils -> org.mozilla.components:support-utils 
> 
> # Allow apps to change the system defined language by their custom one
> mozilla_support_locale -> org.mozilla.components:support-locale
> 
> # The standard set of Photon colors
> mozilla_ui_colors -> org.mozilla.components:ui-colors
> 
> # A collection of often used browser icons.
> mozilla_ui_icons -> org.mozilla.components:ui-icons
> 
> # A library for reading and using the Public Suffix List.
> mozilla_ui_publicsuffixlist -> org.mozilla.components:lib-publicsuffixlist
>                                                                                                                                                                                                           
> # More AndroidX compatibility libraries
> androidx_legacy -> androidx.legacy:legacy-support-v4
> androidx_paging -> androidx.paging:paging-runtime-ktx
> androidx_preference -> androidx.preference:preference-ktx
> androidx_fragment -> androidx.fragment:fragment-ktx
> androidx_navigation_fragment -> androidx.navigation:navigation-fragment-ktx
> androidx_navigation_ui -> androidx.navigation:navigation-ui 
> androidx_recyclerview -> androidx.recyclerview:recyclerview
> androidx_lifecycle_livedata -> androidx.lifecycle:lifecycle-livedata-ktx
> androidx_lifecycle_runtime -> androidx.lifecycle:lifecycle-runtime-ktx
> androidx_lifecycle_viewmodel -> androidx.lifecycle:lifecycle-viewmodel-ktx
> androidx_core -> androidx.core:core
> androidx_core_ktx -> androidx.core:core-ktx
> androidx_transition -> androidx.transition:transition
> androidx_work_ktx -> androidx.work:work-runtime-ktx
>
> # Material Components for Android
> google_material -> com.google.android.material
> 
> # Provides similar capabilities of CSS Flexible Box Layout Module
> google_flexbox -> com.google.android:flexbox
> 
> # Renders After Effects animations in real time
> lottie -> com.airbnb.android:lottie

Disable

> # Implements push notifications with a supported push service
> mozilla_feature_push -> org.mozilla.components:feature-push
> 
> # Feature implementation for apps that want to use Android downloads manager
> mozilla_feature_downloads -> org.mozilla.components:feature-downloads
> 
> # High-level descriptions/contracts of a push service component
> mozilla_concept_push -> org.mozilla.components:concept-push
> 
> # Client-side telemetry SDK for collecting metrics and sending them to Mozilla's telemetry service
> mozilla_service_glean -> org.mozilla.components:service-glean
> 
> # SDK for running experiments on user segments in multiple branches
> mozilla_service_experiments -> org.mozilla.components:service-experiments
> 

Must Audit

> # An implementation for loading and storing website icons (like favicons)
> mozilla_browser_icons -> org.mozilla.components:browser-icons
>
> # Maintains the centralized state of a browser engine
> mozilla_browser_state -> org.mozilla.components:browser-state
> 
> # A syncable implementation of `concept-storage` backed by application-services' Places lib
> mozilla_browser_storage_sync -> org.mozilla.components:browser-storage-sync
> 
> # High-level descriptions/contracts of a data synchronization service component
> mozilla_concept_sync -> org.mozilla.components:concept-sync> 
>
> # Provides functionality for scanning QR codes
> mozilla_feature_qr -> org.mozilla.components:feature-qr
>
> # Support opening non-browser apps and `intent://` style URLs
> mozilla_feature_app_links -> org.mozilla.components:feature-app-links
> 
> # Provides intent processing functionality by combining various other feature modules                                                                                                                     
> mozilla_feature_intent -> org.mozilla.components:feature-intent
> 
> # Implementation for saving and sorting recent apps used for sharing
> mozilla_feature_share -> org.mozilla.components:feature-share
> 
> # Sends tabs to other devices with a registered FxA Account
> mozilla_feature_accounts_push -> org.mozilla.components:feature-accounts-push
> 
> # Website-hotfixing via the Web Compatibility System-Addon
> mozilla_feature_webcompat -> org.mozilla.components:feature-webcompat
> 
> # Integrating with Firefox Sync - Logins
> mozilla_service_sync_logins -> org.mozilla.components:service-sync-logins
> 
> # Integrating with Firefox Accounts
> mozilla_service_firefox_accounts -> org.mozilla.components:service-firefox-accounts
> 
> # Accessing Mozilla's and other location services
> mozilla_service_location -> org.mozilla.components:service-location
> 
> # A generic crash reporter component that can report crashes to multiple services
> mozilla_lib_crash -> org.mozilla.components:lib-crash
> 
> # Helper code to migrate from a Fennec-based (Firefox for Android) app to an Android Components based app
> mozilla_support_migration -> org.mozilla.components:support-migration
>
> # A concept-push implementation using Firebase Cloud Messaging (FCM)
> mozilla_lib_push_firebase -> org.mozilla.components:lib-push-firebase
> 
> # A component using AndroidKeyStore to protect user data
> mozilla_lib_dataprotect -> org.mozilla.components:lib-dataprotect
> 
> androidx_biometric -> androidx.biometric:biometric

Exclude (best-effort, many of these are disabled already due to missing API keys)

> # Error/crash monitoring
> sentry -> io.sentry:sentry-android
> 
> # Customer engagement (with Firebase Cloud Messaging)
> leanplum_core -> com.leanplum:leanplum-core
> leanplum_fcm -> com.leanplum:leanplum-fcm
> 
> # Mobile measurement and fraud prevention (tracks app installation)
> adjust -> com.adjust.sdk:adjust-android
> 
> # Install Referrer
> installreferrer // Required by Adjust -> com.android.installreferrer:installreferrer
>                                                                                                                                                                                                           
> # Obtain the Google Advertising ID from the device for use as a unique telemetry identifier
> google_ads_id // Required for the Google Advertising ID -> com.google.android.gms:play-services-ads-identifier

comment:4 Changed 12 days ago by gaba

Sponsor: Sponsor58-must

comment:5 Changed 9 days ago by gk

Thanks, that's a good start. Two thoughts while skimming the list (I did not look carefully yet)

1) At least the progressive web apps (PWA) part should probably be in the Must Audit section. We even have a ticket for that already: #25845 :)

2) I was wondering how the dependencies those dependencies have would influence where we put them category-wise. So, starting with one layer seems good to me but I feel we might need to dig deeper to have a final assessment. One of the things I am already wary of is getting all the application-services parts roped in "for free". Not all components are probably needing that (I've not checked) but I bet some would move into the Must Audit part alone due to that. And there's probably other stuff that is bubbling in this morass, under the quite surface... :)

Last edited 8 days ago by gk (previous) (diff)
Note: See TracTickets for help on using tickets.