OnionBrowser for iOS -- how secure is it?

  • Currently it seems there are no torproject.org "officially sanctioned" solutions for iOS. However, there is a browser called OnionBrowser that passes check.torproject.org and is able to access hidden services on the tor network.

    So my question is, do we know how secure it is compared to running tor from Vidalia or even Orbot? Aside from the following warnings provided by OnionBrowser:

    Caveats: HTML5 <video> tags will leak <video>-related DNS queries and data transfer outside of Tor.

    Javascript cannot be disabled, HTML5 Geolocation API cannot be disabled.

    I guess one concern I have is how often the other tor software is updated and the inherent lag with availability of updates from both the developer and the App Store itself.

    Otherwise is there anything I should know about using this to access Tor? Is it ill-advised in scenarios where security or anonymity is important?

    after installation Onion Browser shows you this warning https://i.imgur.com/taBFVnn.png

  • adrelanos

    adrelanos Correct answer

    9 years ago

    As long this these issues are open...

    Caveats: HTML5 <video> tags will leak <video>-related DNS queries and data transfer outside of Tor.

    Javascript cannot be disabled, HTML5 Geolocation API cannot be disabled.

    I'd say:

    • Okay for circumvention, when anonymity isn't desired.
    • Okay for adding hay to the haystack (Tor). Your contribution of causing more Tor traffic is appreciated. The more legitimate traffic, the better anonymity for everyone.
    • Okay for very weak anonymity, against adversaries who are not that serious, not using HTML5 <video> and HTML5 Geolocation AP for tracking.
    • Not safe, when you want to be in comparison as anonymous as a Tor Browser Bundle user.

    Whether underlying proprietary operating systems such as iOS or Microsoft Windows can provide meaningful security/anonymity is another question. Not sure if a good question for the tor-talk mailing list or tor.stackexchange.

    Turn off Location Services and the HTML5 Geolocation API becomes moot.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM