Firefox for Android uses best practices for security testing and adheres to Mozilla secure-development guidelines just like desktop Firefox. Security testing called fuzzing is used, to make sure Firefox for Android is robust enough to handle all kinds of crazy data without crashing. We do specific testing for the ARM processor, conduct thorough design reviews, code reviews and perform hostile testing in the same form as is done for desktop Firefox.
Table of Contents
Permissions
We also review the permissions to ensure we don't have any that we don't need and then document them, see How does Firefox for Android use the permissions it requests?.
Automatic Updates
An important part of staying safe online is updating your browser regularly for security improvements. With Firefox, you get updates every six weeks that inherit all of the security updates we develop for desktop Firefox. So, you get the benefit of the 450 million users who depend on Firefox for security on their desktops when you use Firefox for Android. If there is a security threat out there, chances are we know about it and we'll get a fix into Firefox for Android sooner than other mobile browsers will. Because you can get automatic updates through the market, without any dependence on your carrier, Mozilla can respond to any threat quickly.
Content and Transport Security
Firefox for Android also has the same strong content security policy and strict transport policy as your desktop Firefox, requiring pages be served over SSL so they can't be intercepted and the connection is encrypted preventing scripting attacks. We also alert you to any known malicious sites before loading them in Firefox for Android.
Data Encryption
Mozilla offers Sync services, so you don't need to type your password where someone might see it and you can use a strong password without having to type it on a mobile keyboard because it syncs with your desktop Firefox. And Mozilla encrypts your sync'd data so we don't have access to bookmarks, history, passwords or form field data like your address and card info (possibly) name, anything else you type into a field. We lock it and no one but you has the key. Passwords are stored internally to Firefox; stored in a place where only Firefox can access them and cannot be accessed by other programs. Even if a malware infected your device, it couldn't access your data.
Plugin Safety
Firefox for Android doesn't allow flashuses 'tap to play' for plugins by default so you can safely go to any website without the worry of being hacked by plugins. You would have to tap it to get hacked. This also enables you to browse with better performance and without annoying ads. You can also completely disable JavaScript in your settings for the safest possible mobile browsing, since pages can't run any scripts.
Privacy Controls
Firefox for Android provides a suite of Privacy & Security settings so you can regularly clear your history and private data to stay safe. You can also configure a master password and enable Do Not Track to secure your browser if your device is stolen and prevent advertisers from tracking your browsing patterns.
Phishing and Malware Protection
Firefox for Android's phishing and malware protection works by regularly updating a local list of known bad sites, graciously provided by Google through their SafeBrowsing database. Whenever Firefox detects that you navigate to such a site, or that a page you visit is trying to pull data from it, Firefox will present you with a warning page and allow you to abort the operation.