IceCatMobile: Calls (Nonexistant) Mozilla URLs, Proxy Leaks [wontfix]

Since there’s no maintainer to contact nor is there an issue tracker, I’ll just post this here hoping the person who works on it can get it fixed.

IceCatMobile calls home completely ignoring proxy settings (it however respects the remote proxy DNS setting, leaking your real location to the CDN companies!) to:
icecat.settings.services.mozilla.com
icecatmobile-catalog.cdn.mozilla.net
(Edit #2: The above domains are invalid, although the DNS provider would be pleased to know your taste in browsers. Edited topic to reflect this. Unsure if it calls the other addresses below.)

Also found left over in the code is:
incoming.telemetry.mozilla.org

(Firefox Accounts OAuth domains: lcip.org, api.accounts.firefox.com)

This proxy leaking behavior has been with us for a while (and in the prior and current IceCatMobile versions where even favicons for proxied sites would be pulled by your real IP) but I’m not bothered to deal with Mozilla and their tendency to WONTFIX so it would be appreciated if someone could start an issue on their tracker.

(Edit #3: There are several similar reports on their tracker and they are all marked “resolved”. The devs made the idiotic decision to have the Android system calls fetch the files instead of the browser and as always they refuse to fix it even though it’s a critical bug. Additionally marked [“wontfix”] for version 68 (1562394 - can't access favicon files on password protected site after authentication).)

An (incomplete) mitigation for the rest of us users:
Render the URLs in /data/app/org.gnu.icecat-*/oat/arm/base.vdex invalid with a hex editor (e.g. replacing the URL with spaces). They’re all clumped together after the first “https://”.

Note this only stops the browser from requesting DNS for the invalid domains. It will still leak favicon, typed URL bar text (to the default search engines) and other browser internal requests.

The official issues tracker is here: bug-gnuzilla Info Page please use that to report, we only provide the app as it is.

Also, you can always use NetGuard to block whatever you want… CDNs or whatnot.

1 Like

Since there’s no maintainer to contact

You can become one. See the “Developers” section: Docs | F-Droid - Free and Open Source Android App Repository

1 Like

@relan Not sure the user meant F-Droid maintainer…but IceCat

1 Like

Good afternoon @Pete_M

I don’t know if I can be of any help.

But for example using adaway you can include these lists:

https://gitlab.com/Jorgu81/hosts/raw/master/Mozilla

https://raw.githubusercontent.com/CHEF-KOCH/FFCK/master/docs/HOSTS/Mozilla-HOSTS.txt

Where are those entries you comment on so you can block them by hosts.

I don’t know if this will help you.

Receive a warm hug

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.