Opened 5 months ago

Closed 6 days ago

#26784 closed defect (wontfix)

Investigate if Orfox is shipping with active tracker

Reported by: sysrqb Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I just came across an interesting observation: According to the tool Exodus, Orfox (Tor browser for Android) contains 4 trackers:

- Adjust
- Google Ads
- Google DoubleClick
- Google Firebase Analytics

https://reports.exodus-privacy.eu.org/reports/11967/

https://mastodon.at/@infosechandbook/100367643736030856

Confirm where these are and why they aren't excluded at compile-time. Is it worth adding additional built-time logic for excluding this code? Is there more we should do? etc.

Child Tickets

Change History (2)

comment:1 Changed 5 months ago by sysrqb

Status: newneeds_information

https://reports.exodus-privacy.eu.org/reports/11967/ has an interesting note:

Here is the list of trackers signatures found by static analysis in this APK.
This is not a proof of activity of these trackers. The application could contain
tracker(s) we do not know yet.

So I do wonder if we have some dead/unreachable code which contains whatever signature they're searching. Maybe we can contact them and they'll tell us what we missed, too.

comment:2 Changed 6 days ago by gk

Resolution: wontfix
Status: needs_informationclosed

We are closer to moving Orfox users to Tor Browser for Android. We therefore won't spend time investigatig and fixing Orfox bugs anymore.

Note: See TracTickets for help on using tickets.