Classyshark3exydus found five trackers inside Tor browser

Thank you very much for your response.

Good to know that trackers are disabled at the source code stage, still, in my opinion,
all apps have to be trustless
No=No, Yes≠No

In case of the Tor Project the clients still left with only two options, Trust or Not Trust that compiled file remains in the same state as the source code.

What is your opinion on the shell game?

Is there no option to completely remove all those trackers? I guess so, then all that seems to be a con game, isn’t it?

If you’re really paranoid, you can download the source and compile your own. Or pay someone you trust to do it for you. Then you will know for sure. Assuming you also pay for a thorough code review…

Some people recommend NOT logging into accounts while using Tor browser. That said, there are a number of tests you can do to see how well tracking, if any, works while using Tor browser. In general, you will find some sites will not let you login, or may not even let you view the site properly, until you prove who you are to their satisfaction, by playing (sometimes endless) Captcha games, using two-factor logins, etc. Some sites won’t let you create new accounts with Tor browser…

Even at super-tracker websites like Google search, they will accuse you of being a robot, and sometimes won’t even let you play Captcha games, saying something like “try again later.” Another fun game to play is “where does G-map think I am?” Pulldown, New Tor Circuit, try again. Repeat.

So there could be backdoors and tracking routines, but if so, most sites do a great job pretending otherwise.

1 Like

You missed the point of the conversation.

The topic is not about myself, but trackers inside an open source project available through The Guardian Project included on F-Droid by default.

1 Like

Linguistic note for the tender: “you’re” is used here by me like “one”, as in general 3rd person, and not directed at any particular poster.

Very similar tracker issue was raised before,

though there is now an explicit tracking warning in Fennec’s description…

So little time, so little trust…

No other app I ever used from F-droid had any trackers.

What about that ACRA tracker reported by CS3x for F-droid app itself? (rhetorical)

FYI, the reproducible build “streets” at Guardian and F-droid intersect with @eighthave .

So, F-droid and Guardian project may well be a joint US/UK “con game” honeypot operation being run by the usual agencies. Or maybe CS3x is a French counter-counter operation… Unless you’re paranoid or criminal, for practical purposes, I think Tor browser works quite well. That’s why I don’t worry about those trackers, stubs or not, or a reproducible build “con game” too much. To more 3xplicitly answer your question.

Maybe a d3velop3r can explain the difficulty completely removing trackers from browsers (and OSs).

One could also ask CS3x developers if one has found a false positive. :wink:

A remark from Edward Snowden
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

I see you don’t understand the very concept of privacy, unfortunately, a lot of people don’t especially in the USA, China and Nord Korea.

Nevertheless every opinion is welcome.

2 Likes

explain the difficulty completely removing trackers from browsers

In this case our fellow @relan did the work to remove trackers from Fenix.
https://gitlab.com/relan/fennecbuild is used by Fennec F-Droid and Mull.

If you want to remove code from a fork and intend to keep your fork up to date you only have a few choices

  • you can edit the functions to do nothing
  • you can remove the functions, but then you have to remove all calls to said functions

Editing the functions to do nothing is way easier, since you don’t have to grep through the code every release for new calls to them.

In this case however, the code has an option to be disabled and do nothing and that is what Tor Project decided was the easiest way for them to disable the trackers.

For what it is worth, Tor Browser on Android is primarily maintained by a single person. Not some big team. It is somewhat understandable that they would go with such a least resistance path.

You might say, “but relan is one person too, why can’t sysrqb just do the same?”. And the answer is probably because main feature of Fennec F-Droid is being deblobbed and not much else. But the main feature of Tor Browser for Android is the Tor routing which needs to be tested to ensure no proxy leaks, and having all the isolation features correctly functioning. So different allocation of resources/time.

2 Likes

@Fermion

I see you don’t understand the very concept of privacy

If you response was in remark to "Unless you’re paranoid or criminal, for practical purposes, I think Tor browser works quite well. "

I would, in this case, agree with @justsomeguy.

If you were actually being targeted by a nation state, Tor Browser on Android almost definitely would not be sufficient enough.

A solution such as Whonix in Qubes would be far more suitable.

1 Like

@Sorenstouter,

long history (link to stack exchange example)

My result was different than what was posted:

Error, Network connectivity to myPTE has been lost, please try your operation again.

but maybe my Security Level is too high, or my javascript is too restricted for that site…

unmask Tor users (link to quora)

On phone with Torbrowser, this site wouldn’t display at all… In all the Guardian/Torproject documentation, they are careful to explain it is not perfect and users need to be wary. I agree the default javascript should be more restrictive and make you opt-in selectively, but a careful user can easily remove all the default trusted javascript and make it work that way.

1 Like

If they were disabled at compile time then they wouldn’t be included in the APK and ClassyShark3xodus wouldn’t be able to detect them. The best argument that could be made is that they are disabled at runtime (which is what the code you linked to possibly appears to be doing, although how complete that disablement is would be a concern). However, that is an unacceptable state for an app included directly into the F-Droid repository (including the Firebase libraries) and it should be the same standard for other repositories included with F-Droid by default (even if they are disabled by default).

1 Like

It’s a cat and mouse game. Old examples you find online behave differently with current browsers. However, you can guarantee that the websites are several miles ahead of wherever browsers are that allow JavaScript to run by default.

For example, there was a period of time when the NSA was able to unmask Tor browsers due to a particlular JavaScript flaw. That flaw has been fixed, but what do you want to bet the NSA has a list of other unknown JavaScript bugs that haven’t been fixed yet?

We can keep playing cat and mouse forever, but when we get to the point that we want to get ahead of the trackers, we will discover that the only way to do that is to disable JavaScript entirely.

1 Like

I didn’t know that, I can only express my respect to the dev for at least doing something.
So this led us to the question, Why after all we know about Mozilla’s privacy nightmare products, Tor project still use Firefox?
In case someone uses Tor for desktop,
type in about:config app.normandy.enabled and see for yourself how the Tor project handles Mozilla’s backdoors. Set it on false if your consider yourself being criminal. Lol
On Android this is not even an option, about:config, now, ask yourself why.
Be assured one of both or both backdoors are open
and the built into the core spyware is active.
app.Normandy.enabled
app.shield.optoutstudies.enabled

As the author on https://linuxreviews.org/Mozilla_Firefox
nicely put it,
“They are blatant liars with no face and honor”

Since our conversation about trackers/spyware inside applications provided on F-droid, the question is, are we ready to accept, what ever justification, trackers/spyware or Mozilla corporation to be presented in any flavor on F-droid?

You both confuse security with privacy, there are completely two different animals.

To put it simple, we want to have a right for a door in a restroom, aren’t we?
Trackers remove that door in order to provide you with something you didn’t ask for - that’s privacy more or less.

If someone is considered being criminal, by the way, Julian Assange, Edward Snowden as all other whistleblowers and journalists fighting for human rights or little businesses sometimes not able to pay mountains of taxes all considered being criminal, but this topic is for another forum.
So, we’re taking here about a thread model.
The state intends to take your freedom of movement (imprisonment), your property/finance or even taking ones live e.g the Jamal Khashoggi’s case - that’s security.

I raised the question about Privacy only.
F-droid is the only place providing that option.
My only hope and the point of the whole conversation is that we as community can keep it this way by raising privacy concerns otherwise we end up with another Google Play market.

Ubuntu already created a proprietary app store not to mention closed source binary/drivers.
People using Ubuntu don’t understand or just ignorant of the very philosophy of the Linux and FOSS in general.
I guess we don’t want F-Droid to roll the similar direction.

I have to correct my previous assumption to

“Because volks here (on F-Droid) supposed to understand or care about privacy.”

I was wrong, admitted.

Following the logic of being criminal and
nothing to hide.
The US is corrupt as it gets, the State was designed to being a public, transparent organization and yet they hunting people across the globe, because they dared to reveal actually the public information. How crazy is that?
I don’t think they have the right after all to accuse any one to do anything wrong.

“And who are the judges?”, - Griboyedov’s “Woe from Wit”.

So, who has the right to define what is it being “a criminal” ?

Mozilla, FB, Google, MS, Apple?

I hope not, but maybe they already are by removing accounts without any explanation
or by geographically filtering information in search engines.

You as a human being with all your weaknesses have very well the right to have at least some privacy while watching Pornhub
making the bald man cry,
of course you don’t do such things, no one does, unless you’re a criminal of course what you’re not.
I also suspect that not ALL people passing by would be happy watching you sitting in the middle of the street debugging the hard drive.
I also doubt you will be happy to see
related advertisements while looking for a teddy bear for your kid, and your family members would be even less happy, I guess. May be I’m wrong, convince me otherwise.

1 Like

the only way to do that is to disable JavaScript entirely.

Which is to say stop using a lot of websites, unless something else changes drastically. Torbrowser top security level and Privacy Browser defaults make it easy to see what the web looks like without javascript now - kinda bare and unfriendly.

1 Like

If enough web browsers disable JavaScript, then web developers will redesign their websites to work without JavaScript. That is one of the goals I had when I started developing Privacy Browser.

Along those lines, the following website made me smile:

2 Likes

The current version of the Tor Browser for Android (10.0.16 released on May 9) no longer contains any trackers as checked by ClassyShark3xodus. Without knowing for certain, I would imagine that this forum post by @Fermion came to their attention and caused them to make a change in their code. That is good for everybody; it justifies @Fermion for making this post even though some other people disagreed with him about it, it reflects well on the Tor project and raises them in my estimation, and it benefits users of open-source software.

1 Like

Edit: Add quote

That’s odd. It won’t be the first time we’ve observed different results, but CS3 still shows me 6 trackers in Tor Browser (same version), and Tor Browser “Alpha” (10.5a15, added 4/26/21).

1 Like

That is interesting. I just scanned it again and I also now show 6 trackers (see attached screenshot). So, either I somehow picked the wrong app when testing the other day, or ClassyShark3xodus had a hiccup. I should of taken a screenshot of those results but I didn’t.

For posterity’s sake, this is ClassyShark3xodus 2.0-27 and Tor Browser for Android 10.0.16 (88.1.3-Release) arm64-v8a.

Happened to me once while checking another app.

3 Likes

It makes me happy to see people verifying software rather than blindly trusting it! That is an essential ingredient to ensuring real privacy.

About Tor Browser containing trackers, another thing to consider is that the scanning techniques used by things like ClassyShark, Exodus, TrackingTheTrackers, etc. are far from perfect. Mostly its based on the presence of strings, like domain names and code signatures. An included ad blocker plugin will often lead to scanners marking the browser as containing trackers since it includes many domain names of tracking companies.

Glad to see that people can easily find out that I work on Guardian Project, Tor Browser, and F-Droid. I try to make the work I do and the sources of funding as public as possible. This is also an important part of privacy in software: ensuring that funders of any kind are not pushing to weaken the privacy.

9 Likes

A ClassyShark3xodus scan is based on the presence of classes, not simply strings. It can’t necessarily tell you if the program runs those classes, or what it does with them, but it can tell you they are there.

From the screenshot above, you can see there are 6 trackers, which together add 680 classes in the app. From the detailed list of classes (see screenshot below) you can see that some of them come from Google Play Services (this is one of the reasons why the app cannot be included in F-Droid, because it would not build according to F-Droid’s rules with a dependency on Google Play Services).

Clicking on one of the classes shows the header file: