Firefox Android Sync is here! Uh, wait....

A new version of Firefox that runs on Android phones includes a feature called Sync.  If you activate it, Sync synchronizes your bookmarks, browsing history, open tabs, and passwords between your desktop computer and your phone.  Doesn't that sound awesome?  No more fumbling around with Delicious for bookmarks or mSecure for website passwords!

...Until you think about security.  Imagine this scenario:  you do some online banking at home, and the next day you lose your phone.  The person who finds your phone notices that you have Firefox, so he opens the browser and types "bank" into the URL bar.  Autocomplete helpfully fills in the name of your bank, and the phone automatically logs in to the site.  He's in your checking account.

What does Mozilla have to say about Sync's security?  On Mozilla's Sync page, they assure you that your data is encrypted so the "bad guys" (their words, not mine) can't intercept it or decode it.  After some digging, I was able to learn that your passwords are stored on Mozilla's servers; they are encrypted during transmission and in storage.  That will be good enough for most people, as far as you trust Mozilla, and as long as nobody touches your phone.

Here's what Mozilla says to do in the event that you lose your phone.  In a nutshell, you have to change your Sync password and then change every password you used in Firefox, because until you do, your phone can log into all those sites even though it's no longer syncing.  Wow, better be quick and thorough.

So can I use Sync for bookmarks but, say, not for passwords?  Apparently not, according to the answers at this Mozilla support forum query.  The last answer sums up my feelings about it pretty well.

Firefox, this is half-baked.  It's dangerous.  You are giving tools to thieves and setting up your users for some serious pain.  Pull the plug on Sync and fix it.