Opened 4 months ago

Last modified 4 months ago

#34025 new defect

Orbot connects directly to raw.githubusercontent.com on startup

Reported by: cypherpunks Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While leak testing Orbot, I noticed that it creates a connection to raw.githubusercontent.org

https://github.com/guardianproject/orbot/blob/master/app/src/main/java/org/torproject/android/OrbotApp.java#L42

I dont know why this is even necessary as the app store updaters already provide a notification, this doesn't seem to have ever actually notified me about an update, but it sure does let M$ know who all the orbot users might be.

Maybe if it's really necessary it could make the connection over... tor?

Child Tickets

Change History (3)

comment:1 Changed 4 months ago by cypherpunks

ps this looks sketchy
https://github.com/javiersantos/AppUpdater/issues/156

plz no parsers

comment:2 Changed 4 months ago by n8fr8

It was only meant to run on devices without Google Play or F-Droid, i.e. users in China.

Github was chosen for its accessibility in China.

Will consider again how we implement this, and ensure it doesn't check in those cases. It should also have an option to disable.

Note: See TracTickets for help on using tickets.