Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The mobile question #1450

Open
psivesely opened this issue Nov 5, 2016 · 7 comments
Open

The mobile question #1450

psivesely opened this issue Nov 5, 2016 · 7 comments
Labels
needs/research

Comments

@psivesely
Copy link
Contributor

Background

@commandnotfound brought up the question of mobile support in SecureDrop. Considering that, worldwide, mobile computing surpassed desktop usage in 2013, and that much of this rise of mobile computing is due to mobile devices being the primary and only computing devices available to people in the global South, it seems crucial that we at least evaluate the mobile use case for SecureDrop. What follows is the start of that conversation.

The status of Tor on mobile

Android

Tor and the Guardian Project maintain Orbot, a drop-in Tor replacement. Guardian project is also working (very slowly) Orfox, warning "THIS IS A BETA RELEASE MEANT FOR PUBLIC TESTING ONLY. PLEASE DO NOT RELY ON THIS FOR STRONG ANONYMITY UNTIL ALL TESTING IS COMPLETE."

iPhone

There is no official Tor daemon support for iOS. There are some solutions such as OnionBrowser, but they don't seem very accessible.

Personal Experience

Android

What follows is my personal experience of visiting a SD instance.

  1. Download Orbot and Orfox.
  2. I knew to turn on Orbot, but it's not made clear to the user they need to do this.
  3. Open Orfox. There are tiles on the opening page to "Install HTTPS Everywhere" and "Install NoScript," however, it's not made clear that it's important to do this yourself. I don't know why Orfox is no longer bundling these addons. I installed them myself.
  4. Visit a SD homepage.
  5. Go to the generate page.
  6. Clicking continue results in a 400 Error because it seems the referrer is being stripped. NoScript doesn't seem to be the culprit, so I'm not sure what is. Although, the Google Play description claims Orfox has integrated the Tor security slider, I can't find it anywhere in any Orfox menu.

Some other notes:

  • Loading SD with an LTE connection was actually reasonably fast (still slower than desktop on Wifi, but not significantly). I couldn't test an upload though. I suspect a 3G connection would be painfully slow, and unfortunately many if not most smartphone users still rely on 3G or slower speeds.
  • Browser fingerprinting protections are strong. Only one in 621 browsers has the same fingerprint as Orfox (with NoScript installed w/ default settings).

Early conclusions

Since Android has significantly greater market share than iOS, most users do have an available Tor and Tor Browser implementation. However, Orfox has a fair way to go before it's secure by default, and its bugs are resolved, and I'm afraid there isn't the development force behind it to make that happen. At present, not only is mobile usage broken on the one platform it's near feasible, but I'd still feel much more comfortable with people using a desktop if they have access to one.

This post doesn't even touch on the privacy implications of using a mobile phone, and the fractured Android market that has most users running an out-of-date version with known vulnerabilities. For many reasons, I think it will always be safer to use a laptop, especially with Tails, however, we must address the fact this is simply not an option for many, especially as we try to grow our reach outside of the US.

I would estimate that among iPhone users, it's way more common to also own a laptop, since the base model iPhones cost $600+ more the base model Android phones. Since many laptops, such as Chromebooks, sell for a fraction of the price of iPhones, I believe this is a reasonable hypothesis. Therefore, we may not need to worry as much about iOS support, or lack thereof.
@Taipo
Copy link

Taipo commented Nov 5, 2016

Users can and will use mobile devices so is it worth detecting the UA and warning about potential hazards?

@Taipo
Copy link

Taipo commented Nov 5, 2016
edited
Loading

Maybe try disabling NoScript & HTTPS Everywhere and try again see if the same referrer problem occurs.

@ninavizz
Copy link
Member

Users from socio-economically disenfranchised populations do almost everything from mobile devices. Android devices, hands-down—if they're using smartphones (and worldwide, as of my last study in 2014, most were still . Populations in Asia and South/Central America, are almost exclusively mobile, for personal stuff. In the US, the Latinx worker communities are heavily dependent on their mobile devices—and for animal welfare and worker abuses in agribiz, they're a population I'd love to see more opportunities for, in anonymous/secure reporting of abuses to the media. Yeah, it'd help if a Spanish-speaking Latinx publication(s) used SD, too.

Government Accountability & Corporate Accountability types of whistleblowers, are economically advantaged enough to likely all have laptops—so for them, this is unlikely an issue. They're also the types of whistleblowers likely to be at the most risk for electronic compromise.

Poor or middle-class folks seem most likely to be worker rights, human rights, animal welfare rights, and environmental abuses, whistleblowers. Yet, their risk is likely then more life/death, than facing legal penalties.

Also, fwiw (just looked-up on wikipedia): in 2013, only 51% of the worldwide mobile market was smartphones. This article on QZ said that less than 10% of India's phones, are smartphones.

Just my own $.02 from research knowledge accrued on past projects (2012 and 2014), and insights from my piecemeal online explorations into who whistleblower users are.

This is a rad topic @fowlslegs, happy to see it here as a research issue! :)

@heartsucker heartsucker mentioned this issue Jan 28, 2017
Closed
@heartsucker heartsucker mentioned this issue Apr 24, 2018
Merged
4 tasks
@eloquence
Copy link
Member

Keeping open as a discussion issue; note that there is now an official Tor Browser version for Android.

@eaon
Copy link
Contributor

eaon commented Mar 4, 2022

Stumbled over this because of the source interface redesign and #6309 which updated regular expressions to support Firefox version higher than 99.

The mobile browser ecosystem changed significantly over the past 2 years, here's some notes:

  • Orfox
  • Tor Browser for Android
    • Does not depend on Orbot but bundles small-t tor like Tor Browser on Desktop
    • Uses the same "Standard / Safer / Safest" security setting, mitigations seem identical [citation needed]
    • As far as I can tell shares its codebase with the desktop version
  • Onion Browser (for iOS)
    • Based on Endless which implements similar mitigations as used by Tor Browser
    • Also features a "Standard / Safer / Safest" security setting menu, seems to call it "Insecure / Moderate / Secure" or "Bronze / Silver / Gold" (can't test, don't have an iPhone)

@eaon eaon mentioned this issue Mar 4, 2022
Open
@huertanix
Copy link
Member

@eaon I have an iPhone, would be down to help with testing the Onion Browser use case.

@huertanix
Copy link
Member

onion_browser_safety_levels
This is what the levels look like in the mobile Onion Browser interface after tapping the shield icon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs/research
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@huertanix @eaon @eloquence @psivesely @Taipo @ninavizz