Opened 11 months ago

Closed 6 months ago

Last modified 2 months ago

#26784 closed defect (wontfix)

Investigate if Orfox is shipping with active tracker

Reported by: sysrqb Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I just came across an interesting observation: According to the tool Exodus, Orfox (Tor browser for Android) contains 4 trackers:

- Adjust
- Google Ads
- Google DoubleClick
- Google Firebase Analytics

https://reports.exodus-privacy.eu.org/reports/11967/

https://mastodon.at/@infosechandbook/100367643736030856

Confirm where these are and why they aren't excluded at compile-time. Is it worth adding additional built-time logic for excluding this code? Is there more we should do? etc.

Child Tickets

Change History (4)

comment:1 Changed 11 months ago by sysrqb

Status: newneeds_information

https://reports.exodus-privacy.eu.org/reports/11967/ has an interesting note:

Here is the list of trackers signatures found by static analysis in this APK.
This is not a proof of activity of these trackers. The application could contain
tracker(s) we do not know yet.

So I do wonder if we have some dead/unreachable code which contains whatever signature they're searching. Maybe we can contact them and they'll tell us what we missed, too.

comment:2 Changed 6 months ago by gk

Resolution: wontfix
Status: needs_informationclosed

We are closer to moving Orfox users to Tor Browser for Android. We therefore won't spend time investigatig and fixing Orfox bugs anymore.

comment:3 Changed 2 months ago by n8fr8

Just to follow up with this, the "tracker" libraries were inherited from Firefox/Fennec mobile code. They were deactivated at build time, but still included as libs, since removing them from the code was beyond the scope from our work.

Hopefully for TBA you have/can remove them.

comment:4 Changed 2 months ago by gk

I think we are done here, at least according to https://reports.exodus-privacy.eu.org/en/reports/61881/.
My guess is that Mozilla themselves removed those things some time between esr52 and esr60, but I have not checked.

Note: See TracTickets for help on using tickets.