Classyshark3exydus found five trackers inside Tor browser

Adjust
Google Firebase Analytics
LeanPlum
²?Sentry

*Adjust
157com.adjust.sdk.

*Google Firebase Analytics
1com.google.firebase.analytics.

*LeanPlum
317com.leanplum.

*°Google Play Install Referrer
13com.android.installreferrer

*²?Sentry
3io.sentry

What do you guys think?
No anti feature warnings.
No other app I ever used from F-droid had any trackers.

1 Like

Tor browser is not provided by F-Droid afaik, which app do you mean?

Tor browser is provided through official Guardian repository. Google it.

so you probably want to discuss this with the Guardian people, this is the F-Droid forum ;).
Note that anti features are set by the repo provider, not by F-Droid.

Yes, it is provided by the official Gaurdian repo, but only the apps on the main repo has the warning signs, not the cutom repos. Also, Mozilla has a record of putting trackers into their apps, so it isn’t surprising at all.

1 Like

No, I don’t want to discuss it with Guardian people because they did it on purpose.

My goal is to raise the question about “the most privacy oriented” browser.

“Why F-Droid?”-
Because volks here understand privacy.

So thanks for the participation.

If your goal is more privacy oriented browser on Android, you could check out
@Fermion

I’m aware of that.
Like I already said, the goal is to raise the question, because I didn’t find any discussions
regarding this mater on public forums.

Thanks for your contribution.

Thanks, I already red that discussion,
The browser comparison is awesome.

Unfortunately, there is no other browser then Tor
with integraited Onion router.

1 Like

It is quite funny to say that Tor Browser is the most privacy concerned browser because it connects to different places and that hides your identity when the app itself tracks you.

I have one question in mind, what is the purpose of putting it on their repo for F-Droid users? As you said, people here understand privacy and they trust F-Droid apps, but this makes me think of the purpose of Tor Browser being on F-Droid, to gain your trust?

3 Likes

I think this is a valid place to raise this question as the F-Droid client ships with the Guardian Project repositories included in the app (although they are disabled by default). If F-Droid did not include these repositories and the user had to add them manually, then it would be appropriate to say that the issue should be taken up directly with the Guardian Project.

4 Likes

I totally agree, there was a moment of me being ‘Oh wait, Tor Browser is on F-Droid’ and used it, but after some deeper dive, I am like ‘SCAM!’. In my opinion, although there might be some difficulty, other repo should either be marked as well or be removed from the default list, it is quite misleading!

3 Likes

Tor has a reputation for protecting your privacy, but in practice I feel like they don’t often take privacy seriously. For example, consider their stance on JavaScript, which has a long history of being able to unmask Tor users.

1 Like

In this case all of those trackers are open source, and they are disabled at compile time: https://gitlab.torproject.org/tpo/applications/fenix/-/commit/ba587e04a49dafa51a8fdf295ef1b488855a514b

Guardian Project merely hosts the Tor Browser apps on its repo on behalf of the Tor Project.
And there is some overlap between the Guardian Project and F-Droid members.

Thank you very much for your response.

Good to know that trackers are disabled at the source code stage, still, in my opinion,
all apps have to be trustless
No=No, Yes≠No

In case of the Tor Project the clients still left with only two options, Trust or Not Trust that compiled file remains in the same state as the source code.

What is your opinion on the shell game?

Is there no option to completely remove all those trackers? I guess so, then all that seems to be a con game, isn’t it?

If you’re really paranoid, you can download the source and compile your own. Or pay someone you trust to do it for you. Then you will know for sure. Assuming you also pay for a thorough code review…

Some people recommend NOT logging into accounts while using Tor browser. That said, there are a number of tests you can do to see how well tracking, if any, works while using Tor browser. In general, you will find some sites will not let you login, or may not even let you view the site properly, until you prove who you are to their satisfaction, by playing (sometimes endless) Captcha games, using two-factor logins, etc. Some sites won’t let you create new accounts with Tor browser…

Even at super-tracker websites like Google search, they will accuse you of being a robot, and sometimes won’t even let you play Captcha games, saying something like “try again later.” Another fun game to play is “where does G-map think I am?” Pulldown, New Tor Circuit, try again. Repeat.

So there could be backdoors and tracking routines, but if so, most sites do a great job pretending otherwise.

You missed the point of the conversation.

The topic is not about myself, but trackers inside an open source project available through The Guardian Project included on F-Droid by default.

1 Like

Linguistic note for the tender: “you’re” is used here by me like “one”, as in general 3rd person, and not directed at any particular poster.

Very similar tracker issue was raised before,

though there is now an explicit tracking warning in Fennec’s description…

So little time, so little trust…

No other app I ever used from F-droid had any trackers.

What about that ACRA tracker reported by CS3x for F-droid app itself? (rhetorical)

FYI, the reproducible build “streets” at Guardian and F-droid intersect with @eighthave .

So, F-droid and Guardian project may well be a joint US/UK “con game” honeypot operation being run by the usual agencies. Or maybe CS3x is a French counter-counter operation… Unless you’re paranoid or criminal, for practical purposes, I think Tor browser works quite well. That’s why I don’t worry about those trackers, stubs or not, or a reproducible build “con game” too much. To more 3xplicitly answer your question.

Maybe a d3velop3r can explain the difficulty completely removing trackers from browsers (and OSs).

One could also ask CS3x developers if one has found a false positive. :wink:

A remark from Edward Snowden
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

I see you don’t understand the very concept of privacy, unfortunately, a lot of people don’t especially in the USA, China and Nord Korea.

Nevertheless every opinion is welcome.

1 Like

explain the difficulty completely removing trackers from browsers

In this case our fellow @relan did the work to remove trackers from Fenix.
https://gitlab.com/relan/fennecbuild is used by Fennec F-Droid and Mull.

If you want to remove code from a fork and intend to keep your fork up to date you only have a few choices

  • you can edit the functions to do nothing
  • you can remove the functions, but then you have to remove all calls to said functions

Editing the functions to do nothing is way easier, since you don’t have to grep through the code every release for new calls to them.

In this case however, the code has an option to be disabled and do nothing and that is what Tor Project decided was the easiest way for them to disable the trackers.

For what it is worth, Tor Browser on Android is primarily maintained by a single person. Not some big team. It is somewhat understandable that they would go with such a least resistance path.

You might say, “but relan is one person too, why can’t sysrqb just do the same?”. And the answer is probably because main feature of Fennec F-Droid is being deblobbed and not much else. But the main feature of Tor Browser for Android is the Tor routing which needs to be tested to ensure no proxy leaks, and having all the isolation features correctly functioning. So different allocation of resources/time.

1 Like