[guardian-dev] Tor Browser for Android

Thu Aug 29 12:21:16 EDT 2013

Hi,

I saw the recent discussions about Orweb and wanted to contribute. I
believe creating a Tor Browser Mobile (based on Firefox Mobile) is the
only way to go. It would be really great.

Some months ago, I tried to create a Tor Browser for myself on Android.
Firefox Mobile was just started being shipped with the Private Browsing
mode. I spent a few weeks to make it look like an ordinary Tor Browser on
a PC. I don't know programming but I can edit or copy simple codes. As a
result, it had a very similar fingerprint behavior and lots of features
from Tor Browser, except the patches made on Firefox (I only copied the
codes to fake the timezone).

So here are the steps I did as I remember:

1- Downloaded the https everywhere add-on version 2.2.3 and add the code
(install.rdf file) to make it work for Firefox Mobile (Android).
Naturally, it didn't have a GUI but it worked.

2- I downloaded the latest development version (4.x) of https-everywhere
and copied the rulesets from it to my modified add-on (2.2.3).

3- I compared almost every single preference between my Firefox and the
Tor Browser on PC. Copied lots of the prefs, modified some to fit for the
Mobile Firefox. Since the Mobile version has also its own preferences, I
tried to learn what each of them does and configured them for best
protection (like disabling sensors, camera etc.).

4- With the private browsing pref, even though the browser doesn't open
the private browsing mode by default, it was acting like the Private mode
in the normal mode too. No history was being logged.

5- I couldn't find how to manually change the prefs for a Firefox Mobile
installation. So I added my prefs to the defaults/preferences.js file of
my modified add-on (https-everywhere). This way, even if the preferences
change when you use Firefox, after restarting the browser the prefs will
be set to default again.

6- The results on the ip-check.info test was nearly identical except the
time zone and screen size. Since it was easy to apply, I copied the
timezone patch codes from Tor Browser to my modified add-on (to the
/components/https-everywhere.js file) so it looked like UTC on the tests.
Using a pref from Firefox Mobile, the width looks like 1000px on the test
but there isn't (or I couldn't find) anything for height. So height was
unique.

7- There is a mobile version of noscript which is still alpha but it
works. http://noscript.net/nsa/ Considering the screen size fingerprint
issue, it's better to disable javascript by default on Noscript (the other
javascript fingerprints are same as Tor Browser), but I found it a little
time consuming and hard to enable scripts per-site using Noscript, there
seems to be a new version of it since I used it. Maybe things got better.

8- Now, everything was working functionally but when monitoring the
network I found it was possibly leaking some DNS (I'm still not sure,
Orbot was showing warnings and sometimes the monitoring app was catching
requests, not always). So, as a workaround I used a good firewall for
android and didn't allow Firefox to connect to internet at all (by
blocking the direct use of cellular network or wifi) but since it was
configured to go through Orbot it was working and it became very secure.
Even if there were no leaks or we/you patched Firefox or found a pref to
prevent any possible DNS or other leaks, using a firewall should still be
strongly recommended.

9- I also tried adblock plus extension (of course, not recommended for
fingerprint issues). The GUI wasn't letting me edit the lists so I copied
them (elemhide and patterns) from my PC and it worked well.

10- Everything was great for my expectations, the main drawback is, since
there were lots of rulesets in the development version of https-everywhere
and the adblock plus had a huge list, completely starting of the browser
was taking 15-20 seconds and it was using more RAM than regular Firefox
Mobile. So it's better to have a powerful device with lots of RAM and a
fast processor.

This was a quick post, not very detailed, you may ask any questions. I can
help if you are considering to get TBB on Android. It would be great to
have all the missing patches from Tor Browser too, which I cannot
implement myself.