Opened 2 months ago

Last modified 2 months ago

#26784 needs_information defect

Investigate if Orfox is shipping with active tracker

Reported by: sysrqb Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I just came across an interesting observation: According to the tool Exodus, Orfox (Tor browser for Android) contains 4 trackers:

- Adjust
- Google Ads
- Google DoubleClick
- Google Firebase Analytics

https://reports.exodus-privacy.eu.org/reports/11967/

https://mastodon.at/@infosechandbook/100367643736030856

Confirm where these are and why they aren't excluded at compile-time. Is it worth adding additional built-time logic for excluding this code? Is there more we should do? etc.

Child Tickets

Change History (1)

comment:1 Changed 2 months ago by sysrqb

Status: newneeds_information

https://reports.exodus-privacy.eu.org/reports/11967/ has an interesting note:

Here is the list of trackers signatures found by static analysis in this APK.
This is not a proof of activity of these trackers. The application could contain
tracker(s) we do not know yet.

So I do wonder if we have some dead/unreachable code which contains whatever signature they're searching. Maybe we can contact them and they'll tell us what we missed, too.

Note: See TracTickets for help on using tickets.