Opened 5 months ago

Closed 5 weeks ago

#25906 closed defect (fixed)

Disable third-party tracking frameworks Adjust and Leanplum in mobile Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, ff60-esr, TorBrowserTeam201808R
Cc: Actual Points:
Parent ID: #26531 Points:
Reviewer: Sponsor:

Description

It seems Mozilla has outsourced gathering analytics about mobile browser usage to a bunch of people. We should make sure this is disabled in Tor Browser. See:

https://support.mozilla.org/en-US/kb/send-usage-data-firefox-mobile-devices
https://firefox-source-docs.mozilla.org/mobile/android/fennec/mma.html

Child Tickets

Change History (5)

comment:1 Changed 5 months ago by gk

See: https://bugzilla.mozilla.org/show_bug.cgi?id=1380950 for additional risks associated with it.

comment:2 Changed 3 months ago by sysrqb

Parent ID: #26531

Required for first alpha.

comment:3 Changed 7 weeks ago by sysrqb

Status: newneeds_review

From ticket:25851#comment:1

LeanPlum is not included by default. It is only included if MOZ_ANDROID_MMA is
true (false by default) and MOZ_ANDROID_GCM must be true (which we set false
at configure time):
​https://gitweb.torproject.org/tor-browser.git/tree/.mozconfig-android?h=tor-browser-60.1.0esr-8.0-1&id=ce3ad196040db4886e953cf13fc8d24fdf712d4b#n34

From ticket:25851#comment:2

Adjust is excluded at build-time, so we can ignore that. It is excluded
if MOZ_INSTALL_TRACKING is not set. This is similar to LeanPlum - it
requires MOZ_ANDROID_GCM, too. We could change the MOZ_INSTALL_TRACKING
default value, too (being extra safe) - but currently it will not be
included.

This is safe as long as we don't include --with-google-play-services. We already include ac_add_options --without-google-play-services in .mozconfig-android so neither LeanPlum or Adjust are included.

I also created a branch - 25906 in my repo - for review where we set the configure options as |false| by default, as another safety measure.

In reality, even if leanplum or adjust were enabled, mach configure should fail because there is an additional dependency on specifying a leanplum-sdk-file and adjust-sdk-file which we don't include. But I'd prefer playing this safe.

comment:4 Changed 7 weeks ago by sysrqb

Keywords: TorBrowserTeam201808R added

comment:5 Changed 5 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Applied to tor-browser-60.1.0esr-8.0-1 (commit ccb635fc7b7c02c4431adfbe67bff2f73e491157).

Note: See TracTickets for help on using tickets.