I see you don’t understand the very concept of privacy
If you response was in remark to "Unless you’re paranoid or criminal, for practical purposes, I think Tor browser works quite well. "
I would, in this case, agree with @anon46495926.
If you were actually being targeted by a nation state, Tor Browser on Android almost definitely would not be sufficient enough.
A solution such as Whonix in Qubes would be far more suitable.
@Sorenstouter,
long history (link to stack exchange example)
My result was different than what was posted:
Error, Network connectivity to myPTE has been lost, please try your operation again.
but maybe my Security Level is too high, or my javascript is too restricted for that site…
unmask Tor users (link to quora)
On phone with Torbrowser, this site wouldn’t display at all… In all the Guardian/Torproject documentation, they are careful to explain it is not perfect and users need to be wary. I agree the default javascript should be more restrictive and make you opt-in selectively, but a careful user can easily remove all the default trusted javascript and make it work that way.
If they were disabled at compile time then they wouldn’t be included in the APK and ClassyShark3xodus wouldn’t be able to detect them. The best argument that could be made is that they are disabled at runtime (which is what the code you linked to possibly appears to be doing, although how complete that disablement is would be a concern). However, that is an unacceptable state for an app included directly into the F-Droid repository (including the Firebase libraries) and it should be the same standard for other repositories included with F-Droid by default (even if they are disabled by default).
It’s a cat and mouse game. Old examples you find online behave differently with current browsers. However, you can guarantee that the websites are several miles ahead of wherever browsers are that allow JavaScript to run by default.
For example, there was a period of time when the NSA was able to unmask Tor browsers due to a particlular JavaScript flaw. That flaw has been fixed, but what do you want to bet the NSA has a list of other unknown JavaScript bugs that haven’t been fixed yet?
We can keep playing cat and mouse forever, but when we get to the point that we want to get ahead of the trackers, we will discover that the only way to do that is to disable JavaScript entirely.
I didn’t know that, I can only express my respect to the dev for at least doing something.
So this led us to the question, Why after all we know about Mozilla’s privacy nightmare products, Tor project still use Firefox?
In case someone uses Tor for desktop,
type in about:config app.normandy.enabled and see for yourself how the Tor project handles Mozilla’s backdoors. Set it on false if your consider yourself being criminal. Lol
On Android this is not even an option, about:config, now, ask yourself why.
Be assured one of both or both backdoors are open
and the built into the core spyware is active.
app.Normandy.enabled
app.shield.optoutstudies.enabled
As the author on https://linuxreviews.org/Mozilla_Firefox
nicely put it,
“They are blatant liars with no face and honor”
Since our conversation about trackers/spyware inside applications provided on F-droid, the question is, are we ready to accept, what ever justification, trackers/spyware or Mozilla corporation to be presented in any flavor on F-droid?
You both confuse security with privacy, there are completely two different animals.
To put it simple, we want to have a right for a door in a restroom, aren’t we?
Trackers remove that door in order to provide you with something you didn’t ask for - that’s privacy more or less.
If someone is considered being criminal, by the way, Julian Assange, Edward Snowden as all other whistleblowers and journalists fighting for human rights or little businesses sometimes not able to pay mountains of taxes all considered being criminal, but this topic is for another forum.
So, we’re taking here about a thread model.
The state intends to take your freedom of movement (imprisonment), your property/finance or even taking ones live e.g the Jamal Khashoggi’s case - that’s security.
I raised the question about Privacy only.
F-droid is the only place providing that option.
My only hope and the point of the whole conversation is that we as community can keep it this way by raising privacy concerns otherwise we end up with another Google Play market.
Ubuntu already created a proprietary app store not to mention closed source binary/drivers.
People using Ubuntu don’t understand or just ignorant of the very philosophy of the Linux and FOSS in general.
I guess we don’t want F-Droid to roll the similar direction.
I have to correct my previous assumption to
“Because volks here (on F-Droid) supposed to understand or care about privacy.”
I was wrong, admitted.
Following the logic of being criminal and
nothing to hide.
The US is corrupt as it gets, the State was designed to being a public, transparent organization and yet they hunting people across the globe, because they dared to reveal actually the public information. How crazy is that?
I don’t think they have the right after all to accuse any one to do anything wrong.
“And who are the judges?”, - Griboyedov’s “Woe from Wit”.
So, who has the right to define what is it being “a criminal” ?
Mozilla, FB, Google, MS, Apple?
I hope not, but maybe they already are by removing accounts without any explanation
or by geographically filtering information in search engines.
You as a human being with all your weaknesses have very well the right to have at least some privacy while watching Pornhub
making the bald man cry,
of course you don’t do such things, no one does, unless you’re a criminal of course what you’re not.
I also suspect that not ALL people passing by would be happy watching you sitting in the middle of the street debugging the hard drive.
I also doubt you will be happy to see
related advertisements while looking for a teddy bear for your kid, and your family members would be even less happy, I guess. May be I’m wrong, convince me otherwise.
the only way to do that is to disable JavaScript entirely.
Which is to say stop using a lot of websites, unless something else changes drastically. Torbrowser top security level and Privacy Browser defaults make it easy to see what the web looks like without javascript now - kinda bare and unfriendly.
If enough web browsers disable JavaScript, then web developers will redesign their websites to work without JavaScript. That is one of the goals I had when I started developing Privacy Browser.
Along those lines, the following website made me smile:
The current version of the Tor Browser for Android (10.0.16 released on May 9) no longer contains any trackers as checked by ClassyShark3xodus. Without knowing for certain, I would imagine that this forum post by @Fermion came to their attention and caused them to make a change in their code. That is good for everybody; it justifies @Fermion for making this post even though some other people disagreed with him about it, it reflects well on the Tor project and raises them in my estimation, and it benefits users of open-source software.
Edit: Add quote
That’s odd. It won’t be the first time we’ve observed different results, but CS3 still shows me 6 trackers in Tor Browser (same version), and Tor Browser “Alpha” (10.5a15, added 4/26/21).
That is interesting. I just scanned it again and I also now show 6 trackers (see attached screenshot). So, either I somehow picked the wrong app when testing the other day, or ClassyShark3xodus had a hiccup. I should of taken a screenshot of those results but I didn’t.
For posterity’s sake, this is ClassyShark3xodus 2.0-27 and Tor Browser for Android 10.0.16 (88.1.3-Release) arm64-v8a.
Happened to me once while checking another app.
It makes me happy to see people verifying software rather than blindly trusting it! That is an essential ingredient to ensuring real privacy.
About Tor Browser containing trackers, another thing to consider is that the scanning techniques used by things like ClassyShark, Exodus, TrackingTheTrackers, etc. are far from perfect. Mostly its based on the presence of strings, like domain names and code signatures. An included ad blocker plugin will often lead to scanners marking the browser as containing trackers since it includes many domain names of tracking companies.
Glad to see that people can easily find out that I work on Guardian Project, Tor Browser, and F-Droid. I try to make the work I do and the sources of funding as public as possible. This is also an important part of privacy in software: ensuring that funders of any kind are not pushing to weaken the privacy.
A ClassyShark3xodus scan is based on the presence of classes, not simply strings. It can’t necessarily tell you if the program runs those classes, or what it does with them, but it can tell you they are there.
From the screenshot above, you can see there are 6 trackers, which together add 680 classes in the app. From the detailed list of classes (see screenshot below) you can see that some of them come from Google Play Services (this is one of the reasons why the app cannot be included in F-Droid, because it would not build according to F-Droid’s rules with a dependency on Google Play Services).
Clicking on one of the classes shows the header file:
Looks like a Fennec build option was changed and that stuff was mistakenly
included in Tor Browser. Tor Browser ultimately is a build flavor of Firefox,
and Firefox includes Play Services and some tracking services. In the future,
file an issue with Tor if you see this.
FYI I’m familiar with how ClassyShark3xodus, Exodus, etc. work since I’m a
contributor to Exodus. When reviewing results, it is important to remember that
they check “code signatures”, e.g. is there a class that has a specific name.
They do not check whether the actual class is from a known tracker library. So
if an app has its own wrapper class with the same package name, then checking by
code signature will mark it as having a tracker library even though the actual
tracker library is not present, only the custom wrapper class. The example
class you posted seems to be a case of that. But since the app has 680 classes
matching, it seems unlikely those are all wrappers.
If you want to see something that actually checks classes, look at LibScout.
Yes, it is true that it is just checking the names of the classes against those that are known to exist in tracking libraries. But, on a scale of 1 to 10, how likely do you think it would be that an app developer would build a custom class that does something unrelated to Google Play Services, but would just happen to name the class com.adjust.sdk.GooglePlayServiceClient?
Looks like a Fennec build option was changed and that stuff was mistakenly
included in Tor Browser
This definitely appears to be a regression introduced during the Fenix rebase. From @relan’s work it is shown that there is no build option in Fenix to remove these, like there was in Fennec.
I had asked a while ago if there was going to be any collaboration, but it obviously seems not: Welcome a new Fennec F-Droid - #3 by SkewedZeppelin
Also of relevance last time this happened it took a while to work out: https://bugzilla.mozilla.org/show_bug.cgi?id=1419581
Just for curiosity’s sake, I made a comparison with the current Fennec build from F-Droid.
Although it is a fairly concerning list to look through, there is nothing in there about a Google Play Services Client.
Compare this to the list of the current Firefox on Google Play.
This does have the same Google Play Services Client that is included in the Tor Browser (repackaged via the Adjust SDK).
It is particularly interesting to me that ClassyShark3xodus detects 456 trackers in upstream Firefox, 282 in Fennec, and 680 in Tor Browser. Although your point is important that ClassyShark3xodus doesn’t attempt to rate the comparitive seriousness of each of these trackers, there is no way that the Tor Browser could end up with more trackers than either of the upstream projects just through a build option that “mistakenly” included them.
I think the original point by @Fermion stands when he said, “They did it [at least some of it] on purpose.”
Perhaps F-Droid should consider dropping the Guardian repository from being included in the F-Droid client (even thought it is disabled by default).
It is particularly interesting to me that ClassyShark3xodus detects 456 trackers in upstream Firefox, 282 in Fennec, and 680 in Tor Browser.
The delta between Fennec F-Droid and Tor Browser is LeanPlum 317, which was recently removed in Fenix 89.
TBB is still on FF88.
That makes sense.
So, reading your analysis and a few of your links, it would appear that the the Guardian Project has no plans to ever get the number of trackers they ship in the Tor Browser down to 0. Would you say that is an accurate assessment?
