A look at Orfox, a Tor Browser for Android
Orfox is a web browser for Android that is based on the same source code as the Tor Browser but with some privacy modifications added to it.
Basically, if you want to run Tor on Android, Orfox is probably your best bet when it comes to that as it is an official product by the Tor Project.
Setup is not overly complicated, but it requires more than just installing the Orfox application. You need to install the Orbot application for Android as well as Orfox requires it. Without it, you cannot use the web browser as all as it is configured to use the Tor network; Orbot connects to the Tor network, and that is why you cannot use the web browser without it.
Orfox: a Tor Browser for Android
Orfox prompts you to install Orbot on first run; if you have not installed the secondary application already, use the prompt to install it.
From there it is always necessary to start a Tor connection using the Orbot app first. Orfox is based on Firefox (as is the Tor browser), and it shows.
The Orfox browser ships with the NoScript and Tor Browser Settings add-ons. NoScript is a highly rated script blocker that supports other security protections on top of the core functionality.
You may access the Security Slider with a tap on menu and the selection of Orfox Settings. It is set to standard after installation and replicates the security slider of the desktop Tor browser (where the default level is named low).
Basically, what you can do is improve security by limit functionality that websites may use. If you switch to safer, the following restrictions are enabled:
- JavaScript is disabled on non-HTTP websites.
- Audio and video media won't autoplay anymore. You need to tap on the media to start playback.
- Some fonts and math symbols are disabled.
The most secure level, safest, restricts the first and third policy even further: JavaScript is disabled on all sites by default, and icons and images are also disabled by default.
Orfox shares many features with Firefox, but there are also differences:
- Orfox does not require Contacts, Camera, Microphone, Location or NFC permissions of Android.
- Orfox removes features such as WebRTC or support for interacting with casting devices. The reason given is that these are not compatible with "proxying communication through a TCP-based network like Tor).
- Proxying of all Java network HTTP communication through the local Orbot HTTP proxy.
Android users who run Orweb, the default browser for Orbot/Tor mobile users at the point in time may wonder whether they should switch to Orfox, or stick with Orweb right now.
One core difference between the two browsers is that Orweb is using the WebView component of the Android operating system. The developers don't have full control over the component which makes it difficult or even impossible to upgrade it directly or patch bugs. Orweb replicates only a limited number of tweaks that reduce browser fingerprinting.
Closing Words
Check out the official Orfox website for additional information. It lists download links that point to Google Play and F-Droid.
The developers plan to include mobile versions of NoScript, the Tor Browser Button and HTTPS Everywhere in a future release.
Now You: Do you use Tor or a VPN on your mobile devices?
Hi:
When enabling javascript in the Orfox Settings on my Android the url shows this:
” chrome://tor-browser-settings/content/settings.html ” Why?
Chrome is totally disabled and the default browsing app is set as Orfox. I dont want to see any Chrome here…
YMMV – Your Money May Vary
Acronim for: Your opinion may be different, or, in Latin:
De gustibus non disputandum est.
It’s actually Your *Mileage* May Vary. Inspired auto manufacturers who provide a “rated” gas mileage, but also warn that the individual user’s gas mileage may vary a bit. So YMMV is saying that your experience may be different from mine.
Sorry to be that guy. :)
gh –
Good points, thank you. Please pardon my ignorance, but what is YMMV?
my new android browser
I am curious about something – if I use TOR on my mobile, will it connect via my VPN or will it bypass the VPN and connect directly via my data connection? I know that Android is very different than Windows in this manner; for instance the ability to exclude certain apps from using a VPN connection with a single click.
Android allows only one tunnel interface at the same time, which means only ONE VPN. Depending on your Orbot settings this means you can’t connect outside tor (if you choose to tunnel all apps trough tor [which basically creates an tunnel VPN interface for this]).
Tor… on mobile… YMMV but content is often intolerably slow to load.
Safer ~= “JavaScript is disabled on non-HTTP websites”
???
because bad actors presumably never serve malicious scripts via https?
This seems like a weird, misdirected, configuration choice.
Safer ~= “Audio and video (HTML5 media) is tap to play”
!!!
This is indeed an important privacy (if not security) consideration — one which Orfox documentation may not explain fully. By sending a DRM -encrypted video file (perhaps surreptitiously, sized 1×1 px), a site can coerce one’s browser to generate and transmit an EME verification key (immutable, permanent, based on serial number(s) of your system hardware components). This key, and the practice of coercing its generation/transmission, it’s reasonable to expect that such will become a (the) “new, improved evercookie” mechanism.
^— That is how e.g. Netflix recognizes you (your device) as YOU, and whether its one of the of your 3 (or however many specific devices) are authorized for your account.