#30925 closed defect (duplicate)

Tor Browser for Android should not leak device language

Reported by: dujaus Owned by:
Priority: Medium Milestone:
Component: Applications Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


(Real version: 60.7.0)

Tor Browser for Android sends the real language of the user's Android device in accept-language HTTP request header. For UX this might be great, but if the language is not English, it can reveal the likely geographical location of the user.

For instance, I'm a Finn, and when I use Tor Browser to access Twitter.com, the site shows the web page in Finnish. Also many sites show ads in Finnish. This is not great for anonymity, especially for small countries and languages only spoken by relatively small population, like fi-FI.

I think this issue is quite severe due to few aspects related to Android:

  • It is very common to use the local language in Android devices (probably more so than with desktop OSes - computer savvy Finns tend to use English Windows/Linux)
  • The browser itself is not localized, so the user probably is not aware of the fact that it sends the real accept-language header. I used to think that the ads were just a coincident and maybe I just happened to be on a circuit leading to a exit node in Finland.

Child Tickets

Change History (1)

comment:1 Changed 16 months ago by gk

Resolution: duplicate
Status: newclosed
Version: Android (Orbot): 1.0.0

Yes, agreed. We track this in #30605.

Note: See TracTickets for help on using tickets.