Opt-in to Arm MTE for debug and daily#9820
Conversation
|
Thanks for bringing this up. @wmontwe @rafaeltonholo I'd like to add this to a meeting or thread to discuss since security related work should probably get more eyes. |
|
Thanks for bringing this to our attention. After some discussion with @wmontwe we don't currently have the testing bandwidth to safely enable this. We believe this should be fairly extensively tested before we'd be comfortable including the MTE changes in the app. I'm going to leave this PR up so that once we feel we can sufficiently test that it is top of mind. |
|
@thgoebel We don't have test devices with GrapheneOS to verify these changes. But we could add this setting to the develop and daily version of Thunderbird. It would require to update the manifest files within If there are any volunteers in the community with GrapheneOS, they could help by testing our daily version for compatibility, once this patch was merged. If there is positive feedback we could enable it for all versions. What do you think? |
|
Sounds good, I moved the manifest tag to debug and daily. Note that with this change, you don't need GrapheneOS, you only need a Pixel 8 or later. This change works on any ROM, including stock. GrapheneOS is only relevant because it allows users to force-enable MTE for apps where the developer has not opted in via the manifest. This is how I'm using all my apps (including Thunderbird). In the past year I have seen basically no crashes, only in two apps (Proton Mail and Apple Music). TLDR: By opting in via the manifest, any community member with a Pixel 8 or later can test MTE (on debug/daily), no matter which ROM they are using. Rolling it out to daily first (and later beta?) makes sense. |
Thanks for the detailed explanation. Then I could use my Pixel 9 to test daily. When this results in a stable experience, we could enable MTE for beta and test with a larger audience. I created a ticket to keep track of these changes: #10053 |
|
Thanks for your contribution! Your pull request has been merged and will be part of Thunderbird 15. We appreciate the time and effort you put into improving Thunderbird. If you haven’t already, you’re welcome to join our Matrix chat for contributors. It’s where we discuss development and help each other out. https://matrix.to/#/#tb-android-dev:mozilla.org |
3 participants
This is an easy security improvement (at least for users with Google Pixel 8 and later, which have the hardware for MTE).
TFA doesn't have any explicit native code afaik, but there are some .so files in the APK (from Compose?), and also Android framework code that TFA calls might have native code. All of that runs in the app's process, so opting in to MTE will cover that. TFA parses attacker controlled data (emails), so enabling MTE is an easy defense-in-depth.
I've been running TFA on a Pixel 8a with GrapheneOS and MTE force-enabled for a few months now without any issues.
Still, I recommend you to test this again on an MTE-compatible device (Pixel 8 and later), just to be sure :)
For background on MTE, see: