Opened 20 months ago

Last modified 4 months ago

#24926 new enhancement

Should Tor Browser for Android support the PanicKit Panic Trigger Intent?

Reported by: sysrqb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: igt0, n8fr8 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I see advantages and disadvantages for this. If we keep it, then we should add a preference for users, so they can enable or disable it.

At this point, when Orfox receives an the Panic intent, it clears some state and quits. After we implement #24920, we shouldn't need worry about clearing state, so the app should simply quit.

Child Tickets

Change History (8)

comment:1 Changed 20 months ago by eighthave

As the person who put it there, I think it should stay :) I think there should be a preference to control this, we have the UX laid out for this. The idea is that by default, all "panic responder" aps should do a "non-destructive" behavior so that someone can install a "panic trigger" app (e.g. Ripple) and have it work without any configuration. Then any "destructive" actions must be explicitly enabled by the user, and cryptographically tied to one specific panic trigger app. These can be deleting data, hiding the app by changing the name/icon/etc,

Here is a more thorough overview:
https://guardianproject.info/2016/01/12/panickit-making-your-whole-phone-respond-to-a-panic-button/

Quitting the browser could be considered destructive since the website might have state, stuff in a webform, uploading content, etc. I think it is important that Tor Browser have a default action for panic triggers to keep the the whole panic configuration experience as simple as possible. If there was a way to detect things that might be considered state, and only quit if those are not present, that would be ideal. One simple non-destructive response would be to stop tor itself and all related network traffic and hide all notifications.

As for destructive responses, I think Tor Browser should offer:

  • wipe all data and quit app (Tor Browser can do this without any confirmation)
  • prompt for full uninstall (Android requires that the user click the confirmation prompt)
  • change app icon/name and disguise itself as a game, utility, etc that is then unlocked with a PIN to restore Tor Browser with all data intact

comment:2 Changed 20 months ago by sysrqb

Parent ID: 19675

comment:3 Changed 20 months ago by sysrqb

Parent ID: 19675#19675

comment:4 Changed 19 months ago by sysrqb

Parent ID: #19675#5709

Moving these to #5709, these aren't blockers anymore. We'll merge Orfox patches first, then audit everything as we move to m-c and work on TBA. (We should create more tickets as we find more items that need investigating/fixing)

comment:5 Changed 4 months ago by gk

Parent ID: #5709

comment:6 Changed 4 months ago by eighthave

Any chance of the exit functionality being brought back from Orfox? I'm currently in the process of a maintenance round for the panic stuff, and saw that TBA reports itself as supporting a panic trigger, but does not do anything in response. It should either stop claiming that it supports a panic trigger, or it should do something. To stop claiming, the panic stuff just needs to be removed from the AndroidManifest.xml.

comment:7 Changed 4 months ago by eighthave

I think that "app hiding" would be a great feature for Tor Browser to have here, and probably not too much work to support. Here you can see how it was implemented in F-Droid:
https://gitlab.com/fdroid/fdroidclient/merge_requests/629

comment:8 in reply to:  6 Changed 4 months ago by sysrqb

Replying to eighthave:

Any chance of the exit functionality being brought back from Orfox? I'm currently in the process of a maintenance round for the panic stuff, and saw that TBA reports itself as supporting a panic trigger, but does not do anything in response. It should either stop claiming that it supports a panic trigger, or it should do something. To stop claiming, the panic stuff just needs to be removed from the AndroidManifest.xml.

Huh. I agree, but it should work. We specifically decided we'd include it at the beginning and we could reconsider it later. The same functionality was ported from Orfox into Tor Browser - but admittedly it wasn't tested.

We did tweak the impementation a bit, so maybe that broke it. I'll need to dig into this a bit more.

Note: See TracTickets for help on using tickets.