Edit: Add quote
That’s odd. It won’t be the first time we’ve observed different results, but CS3 still shows me 6 trackers in Tor Browser (same version), and Tor Browser “Alpha” (10.5a15, added 4/26/21).
1 Like
That is interesting. I just scanned it again and I also now show 6 trackers (see attached screenshot). So, either I somehow picked the wrong app when testing the other day, or ClassyShark3xodus had a hiccup. I should of taken a screenshot of those results but I didn’t.
For posterity’s sake, this is ClassyShark3xodus 2.0-27 and Tor Browser for Android 10.0.16 (88.1.3-Release) arm64-v8a.
Happened to me once while checking another app.
3 Likes
It makes me happy to see people verifying software rather than blindly trusting it! That is an essential ingredient to ensuring real privacy.
About Tor Browser containing trackers, another thing to consider is that the scanning techniques used by things like ClassyShark, Exodus, TrackingTheTrackers, etc. are far from perfect. Mostly its based on the presence of strings, like domain names and code signatures. An included ad blocker plugin will often lead to scanners marking the browser as containing trackers since it includes many domain names of tracking companies.
Glad to see that people can easily find out that I work on Guardian Project, Tor Browser, and F-Droid. I try to make the work I do and the sources of funding as public as possible. This is also an important part of privacy in software: ensuring that funders of any kind are not pushing to weaken the privacy.
9 Likes
A ClassyShark3xodus scan is based on the presence of classes, not simply strings. It can’t necessarily tell you if the program runs those classes, or what it does with them, but it can tell you they are there.
From the screenshot above, you can see there are 6 trackers, which together add 680 classes in the app. From the detailed list of classes (see screenshot below) you can see that some of them come from Google Play Services (this is one of the reasons why the app cannot be included in F-Droid, because it would not build according to F-Droid’s rules with a dependency on Google Play Services).
Clicking on one of the classes shows the header file:
Looks like a Fennec build option was changed and that stuff was mistakenly
included in Tor Browser. Tor Browser ultimately is a build flavor of Firefox,
and Firefox includes Play Services and some tracking services. In the future,
file an issue with Tor if you see this.
FYI I’m familiar with how ClassyShark3xodus, Exodus, etc. work since I’m a
contributor to Exodus. When reviewing results, it is important to remember that
they check “code signatures”, e.g. is there a class that has a specific name.
They do not check whether the actual class is from a known tracker library. So
if an app has its own wrapper class with the same package name, then checking by
code signature will mark it as having a tracker library even though the actual
tracker library is not present, only the custom wrapper class. The example
class you posted seems to be a case of that. But since the app has 680 classes
matching, it seems unlikely those are all wrappers.
If you want to see something that actually checks classes, look at LibScout.
1 Like
Yes, it is true that it is just checking the names of the classes against those that are known to exist in tracking libraries. But, on a scale of 1 to 10, how likely do you think it would be that an app developer would build a custom class that does something unrelated to Google Play Services, but would just happen to name the class com.adjust.sdk.GooglePlayServiceClient?
Looks like a Fennec build option was changed and that stuff was mistakenly
included in Tor Browser
This definitely appears to be a regression introduced during the Fenix rebase. From @relan’s work it is shown that there is no build option in Fenix to remove these, like there was in Fennec.
I had asked a while ago if there was going to be any collaboration, but it obviously seems not: Welcome a new Fennec F-Droid - #3 by SkewedZeppelin
Also of relevance last time this happened it took a while to work out: https://bugzilla.mozilla.org/show_bug.cgi?id=1419581
Just for curiosity’s sake, I made a comparison with the current Fennec build from F-Droid.
Although it is a fairly concerning list to look through, there is nothing in there about a Google Play Services Client.
Compare this to the list of the current Firefox on Google Play.
This does have the same Google Play Services Client that is included in the Tor Browser (repackaged via the Adjust SDK).
It is particularly interesting to me that ClassyShark3xodus detects 456 trackers in upstream Firefox, 282 in Fennec, and 680 in Tor Browser. Although your point is important that ClassyShark3xodus doesn’t attempt to rate the comparitive seriousness of each of these trackers, there is no way that the Tor Browser could end up with more trackers than either of the upstream projects just through a build option that “mistakenly” included them.
I think the original point by @Fermion stands when he said, “They did it [at least some of it] on purpose.”
Perhaps F-Droid should consider dropping the Guardian repository from being included in the F-Droid client (even thought it is disabled by default).
1 Like
It is particularly interesting to me that ClassyShark3xodus detects 456 trackers in upstream Firefox, 282 in Fennec, and 680 in Tor Browser.
The delta between Fennec F-Droid and Tor Browser is LeanPlum 317, which was recently removed in Fenix 89.
TBB is still on FF88.
1 Like
That makes sense.
So, reading your analysis and a few of your links, it would appear that the the Guardian Project has no plans to ever get the number of trackers they ship in the Tor Browser down to 0. Would you say that is an accurate assessment?
Would you say that is an accurate assessment?
A bit harsh.
Guardian Project is merely hosting Tor Browser for Android on behalf of Tor Project in their repository.
And TBB is only maintained by a single person from the start, @sysrqb.
Do I like seeing this? No, absolutely not. But someone has to foot the bill, and no one is right now sadly.
1 Like
Whether it is harsh or not, it is important to know the truth about the likelihood that a project as important as a browser has a plan in place to ever ship a version that does not include trackers.
To elaborate some more I’ll post a quote from an email I had with someone at Mozilla in 2017:
[…] we should support building without all of these things, precisely to support “free as in freedom” use cases like F-Droid and Tor. If we don’t, that’s a bug.
But ¯\_(ツ)_/¯
I think it would be even better if upstream Mozilla would ship their browser without any trackers, but I have watched that organization closely enough for long enough to know it will never happen. I say that as a user of Firefox before it was called Firefox (remember the good old Phoenix days?).
Some extra reading:
I think there is a fundamental difference between shipping code while attempting to disable it, and removing the code entirely. Although it is a step in the right direction, the Tor Browser should go all the way and remove the code.
Also, I am fundamentally opposed to any type of telemetry that is not strictly opt-in. This is an example of where Mozilla (including Fennec as your second link shows) and I disagree.
2 Likes
I second that with bromite
Just use a downloaded map app
S’pose the big An0m takedown is a reminder we’re all “on notice.” Again… All communications are probably vulnerable to monitoring by gov’t, and their contractors.
How can you scan PDFs to see if they “call home” or do other nasty stuff?
