Silk Road forums

Discussion => Security => Topic started by: livestr0ng on April 07, 2013, 07:48 am

Title: Is the mobile onion browser safe?
Post by: livestr0ng on April 07, 2013, 07:48 am
I recently found out there is an app for mobile phones that allows users to access Tor sites. I've tried it and I was indeed able to get on SR and the forums. (I didn't log in to SR. Also, I turned Location Services off but who knows if that would actually do anything. Plus, I did it while in a car far away from my place of residence.) The exact name of the app I got is "OnionBrowser". It has positive reviews but those people could all know as little as I do. Because it allows me to access .onion URLs, it seems like it would have to be safe. However, I do not know if this is so. I'm looking for some (educated) advice here. If the consensus is that it is safe, I hope to bring people more convenience by making them aware that this app exists.
Title: Re: Is the mobile onion browser safe?
Post by: angel555 on April 07, 2013, 08:22 am
I've read on here that a couple people use it to browse, however for me personally I dont trust it for some reason

I gave it a go a couple weeks back - once activating the tor and going on the browser sometimes it would say its been 'configured to use tor' but sometimes it says it hasn't.

For that reason I dont trust it, what if it stopped half way through browsing and I didn't know about it?
Title: Re: Is the mobile onion browser safe?
Post by: sirius on April 08, 2013, 06:29 am
Well, I use it on my nexus 7 android tablet.. I don't use it for any serious purchasing or anything, but for casual or mobile browsing its pretty handy. So far I haven't had any problems.. If it loses tor it wont load any pages, so I'm not concerned there.
I forget if you can select specific apps to proxy or not.. but you can turn on transparent proxying and all of your connections will be torrified.

I'm waiting to wipe my nexus and install Ubuntu for tablets. Then all will be well  :)
Title: Re: Is the mobile onion browser safe?
Post by: Yoshitoshi on April 08, 2013, 11:01 am
I think the big unknown is how your phone handles data in the background, and the personal data that device is linked to, unless it's PAYG, and you only ever use cash to top up.

Phones & tablets are distinctly different from e.g. PCs in this regard.

Periodically hacks seem to emerge that can scavenge a lot of user data from phones & tablets including, but not limited to: your location, your phone number, and your telco account details. I would not sleep well using SR (even through TOR) on such a device.

I can say for sure that they could *never* get this info through my locked down user account on my PC, which I use only for *this stuff*.
Title: Re: Is the mobile onion browser safe?
Post by: aussiepp on April 08, 2013, 11:32 am
I've personally never heard of it until now and for some reason I'm not comfortable with it.
Something about having Tor on my phone... Idk
Title: Re: Is the mobile onion browser safe?
Post by: livestr0ng on April 12, 2013, 05:53 am
Come on other people, I feel like I'm the only one who thinks this is important.
Title: Re: Is the mobile onion browser safe?
Post by: blink-420 on April 12, 2013, 06:06 am
i use it and havent had a problem.  ive read your mobile provider can tell you are using tor, but they can't tell what sites you visit
Title: Re: Is the mobile onion browser safe?
Post by: sbmafia on April 12, 2013, 09:51 am
I've read on here that a couple people use it to browse, however for me personally I dont trust it for some reason

I gave it a go a couple weeks back - once activating the tor and going on the browser sometimes it would say its been 'configured to use tor' but sometimes it says it hasn't.

For that reason I dont trust it, what if it stopped half way through browsing and I didn't know about it?y


Usually the way you'll no whether its working is if the union sites actually open or not g
Title: Re: Is the mobile onion browser safe?
Post by: dothedamnthing on April 12, 2013, 10:56 am
From everything I've read, it is not advisable to use any mobile device. There's been quite a few threads on this topic. Here's the most recent one which has some good information: http://dkn255hz262ypmii.onion/index.php?topic=145659.0
Title: Re: Is the mobile onion browser safe?
Post by: livestr0ng on April 12, 2013, 11:35 pm
From everything I've read, it is not advisable to use any mobile device. There's been quite a few threads on this topic. Here's the most recent one which has some good information: http://dkn255hz262ypmii.onion/index.php?topic=145659.0
Oh cool thanks. I feel like a bit of an asshole now but still thanks haha
Title: Re: Is the mobile onion browser safe?
Post by: photonsounds on April 13, 2013, 09:14 am
I will say this much about it if you do decide to use it: There will be an option to pipe all traffic through Tor. (It will say something like "Choose this if you have no idea what you're doing.") Especially do NOT do this! If it pipes your Facebook phone app, twitter app, social media apps through Tor (which it will) and if you go any external sites through tor (or possibly even SR) they may be able to correlate your surfing to your identity. It's not 100%, but it is more than absolutely possible.

If you're going to put PGP on your device and actually consider using SR for more than browsing, I would look into encryption and/or remote destruction programs. You can find phone programs that will erase your phone remotely from web sites, in the case that it is lost. I have lost a phone before and kicked myself in the ass for not having this. Had I used mobile Tor more often, I really would have been sweating in my shirt over the issue.

To be safe, I would say follow DPRs advice and not to use it..if you can help it. Personal input, it's probably a bit less secure than Windows. As Wadozo mentions Jacob Applebaum in that other thread, if you research that name you should come to quite a few writings of Android phone exploits. It's just not safe up to JellyBean for sure. JB has had a lot of improvements, particularly with memory management and permissions, but there are a lot of memory exploits with Honeycomb, ICS, and earlier versions.

Realistically, no operating system is technically safe unless you can harden it. Even then someone can exploit stacking processes. But you're drastically more protected anyhow. I do believe a commonality between both Android and Windows 7/8 is that they're not hardened. Technically Android phones are linux and if you knew what you're doing you can possibly make them more secure, but I don't think I have heard of an Android phone actually being hardened with grsec or SElinux or anything. I don't feel like searching it right now. And I know for sure Windows can't be hardened.

If you're going to use mobile tor, just remember the risk you're exposing yourself to in the meantime. And realize with triangulation, they can know where you are even when your GPS is disabled and with new exploits being published very frequently, even patching and updating your phone can't keep it as secure as a hardened system.

-PH
Title: Re: Is the mobile onion browser safe?
Post by: Wadozo on April 13, 2013, 06:27 pm
The short answer is NO WAY. There are many possibles and probables however, there's three reasons that come to mind which should not be ignored.

Javascript cannot be disabled.

HTML5 (video) tags will leak related DNS queries and data transfers outside of Tor.

HTML5 Geolocation API cannot be disabled.

There's three reasons I would never use the Onion Browser app, and that's only for starters. It's really just a gimmick, nothing to rely on.
Title: Re: Is the mobile onion browser safe?
Post by: b0lixtrader on April 13, 2013, 07:03 pm
The short answer is NO WAY. There are many possibles and probables however, there's three reasons that come to mind which should not be ignored.

Javascript cannot be disabled.

HTML5 (video) tags will leak related DNS queries and data transfers outside of Tor.

HTML5 Geolocation API cannot be disabled.

There's three reasons I would never use the Onion Browser app, and that's only for starters. It's really just a gimmick, nothing to rely on.

The question is why would the same people who wants to protect out privacy(I mean don't they?) put out such a useless program?

2 years ago when no one really bother to talk about the phone app, I used it almost every day because I was unaware. Even made 3-4 orders off it.  Still browse  SR and the forums sometimes when I'm out but use WiFi.
Title: Re: Is the mobile onion browser safe?
Post by: dryice on April 14, 2013, 05:46 am
Android has orbet app witch is a tor browser bundel. Looks good to me. I thinks iof you have a moblibe device encrypted running orbet and you have set up the sim without your real details and pay cash for credit you are very safe in city areas.
Can someone who knows their shit have a look t obet?
Title: Re: Is the mobile onion browser safe?
Post by: Wadozo on April 14, 2013, 06:47 am
The short answer is NO WAY. There are many possibles and probables however, there's three reasons that come to mind which should not be ignored.

Javascript cannot be disabled.

HTML5 (video) tags will leak related DNS queries and data transfers outside of Tor.

HTML5 Geolocation API cannot be disabled.

There's three reasons I would never use the Onion Browser app, and that's only for starters. It's really just a gimmick, nothing to rely on.

The question is why would the same people who wants to protect out privacy(I mean don't they?) put out such a useless program?

2 years ago when no one really bother to talk about the phone app, I used it almost every day because I was unaware. Even made 3-4 orders off it.  Still browse  SR and the forums sometimes when I'm out but use WiFi.

By default, Tor doesn't disable Javascript. In fact, it encourages it being enabled to allow a user to view webpages that require Javascript. See below.

Quote
  Why is NoScript configured to allow JavaScript by default in the Tor Browser Bundle? Isn't that unsafe?

We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work). 

Then there is this also.

Quote
  I'm an expert! (No, really!) Can I configure NoScript to block JavaScript by default?

You can configure your copies of Tor Browser Bundle however you want to. However, we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser.   

Tor wasn't designed for use on websites offering illegal products for sale, although it can be configured to do so safely. What Tor does is prevent somebody from watching your Internet connection and from learning what sites you visit. It prevents the sites you visit from learning your physical location. This will mean nothing though if someone is watching you as you connect to the Tor network. You are only encrypted within the Tor network. Tor is not an end to end encryption tool but some people seem to think it is. Mobile devices are not safe to use if you are worried about potentially revealing your location or identity. If others put their trust in mobile apps, that's their own choice, but there is no fucking way I would. There are some very tech-minded people on here, knowledgeable on most if not all matters relating to on-line security such as Anonymity, Cryptography, Hacking, etc, who have also expressed the same view (kmfkewm, Guru, who has now left, and of course SR Support).  Do your own research and make an informed decision based on the facts.  :)
Title: Re: Is the mobile onion browser safe?
Post by: Wadozo on April 14, 2013, 06:57 am
Android has orbet app witch is a tor browser bundel. Looks good to me. I thinks iof you have a moblibe device encrypted running orbet and you have set up the sim without your real details and pay cash for credit you are very safe in city areas.
Can someone who knows their shit have a look t obet?

Regardless of you're using fake details on the SIM registration, your mobile device is a modern day GPS tracker. If you come under the watchful eye of LE, especially as a vendor, despite what you may think, they will know who you are in a flash. To say it's safe in city areas is not true.
I think you mean Orbot, not Orbet. If you think it's safe to use, then go ahead and use it. I'm only expressing an opinion. What you do is your business. 
Title: Re: Is the mobile onion browser safe?
Post by: sbmafia on April 14, 2013, 08:13 am
I use Orbot ---->Orweb v2... and yes i feel secure

i use android btw...


Recently its all i use...

on it now
Title: Re: Is the mobile onion browser safe?
Post by: Wadozo on April 14, 2013, 08:19 am
I use Orbot ---->Orweb v2... and yes i feel secure

i use android btw...


Recently its all i use...

on it now

Good for you sbmafia. That's your choice to make. I was just posting my opinion on the subject.
Title: Re: Is the mobile onion browser safe?
Post by: b0lixtrader on April 14, 2013, 03:21 pm
The short answer is NO WAY. There are many possibles and probables however, there's three reasons that come to mind which should not be ignored.

Javascript cannot be disabled.

HTML5 (video) tags will leak related DNS queries and data transfers outside of Tor.

HTML5 Geolocation API cannot be disabled.

There's three reasons I would never use the Onion Browser app, and that's only for starters. It's really just a gimmick, nothing to rely on.

The question is why would the same people who wants to protect out privacy(I mean don't they?) put out such a useless program?

2 years ago when no one really bother to talk about the phone app, I used it almost every day because I was unaware. Even made 3-4 orders off it.  Still browse  SR and the forums sometimes when I'm out but use WiFi.

By default, Tor doesn't disable Javascript. In fact, it encourages it being enabled to allow a user to view webpages that require Javascript. See below.

Quote
  Why is NoScript configured to allow JavaScript by default in the Tor Browser Bundle? Isn't that unsafe?

We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work). 

Then there is this also.

Quote
  I'm an expert! (No, really!) Can I configure NoScript to block JavaScript by default?

You can configure your copies of Tor Browser Bundle however you want to. However, we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser.   

Tor wasn't designed for use on websites offering illegal products for sale, although it can be configured to do so safely. What Tor does is prevent somebody from watching your Internet connection and from learning what sites you visit. It prevents the sites you visit from learning your physical location. This will mean nothing though if someone is watching you as you connect to the Tor network. You are only encrypted within the Tor network. Tor is not an end to end encryption tool but some people seem to think it is. Mobile devices are not safe to use if you are worried about potentially revealing your location or identity. If others put their trust in mobile apps, that's their own choice, but there is no fucking way I would. There are some very tech-minded people on here, knowledgeable on most if not all matters relating to on-line security such as Anonymity, Cryptography, Hacking, etc, who have also expressed the same view (kmfkewm, Guru, who has now left, and of course SR Support).  Do your own research and make an informed decision based on the facts.  :)
Cool thank you for the thorough response.

Just a quick question, would that same rule apply on the PC version of tor of how it would be just as bad if I disabled java on the android version?

I always heard it is better for it to be disabled on the PC browser.

thanks and +1
Title: Re: Is the mobile onion browser safe?
Post by: Wadozo on April 14, 2013, 03:54 pm
Thanks b0lixtrader. If you're visiting mostly illegal sites like SR using Tor, I would disable Javascript on all devices (PC and mobile) and eliminate the possibility of a hacker/LE exploiting any vulnerabilities in code to remotely install software onto your device. They could also send you malicious code disguised as a phone update from your carrier which you unknowingly install and infect your device, allowing the attacker full access and complete control over your device.  :)
Title: Re: Is the mobile onion browser safe?
Post by: b0lixtrader on April 14, 2013, 04:23 pm
Np.  Ha I guess I was doing something right.  Always disabled java for android and PC version.

Things hackers can do, makes my brain hurt....

All I had to do was just uncheck the "enable javascript" box in the settings for both version correct?
Title: Re: Is the mobile onion browser safe?
Post by: Wadozo on April 14, 2013, 04:56 pm
Np.  Ha I guess I was doing something right.  Always disabled java for android and PC version.

Things hackers can do, makes my brain hurt....

All I had to do was just uncheck the "enable javascript" box in the settings for both version correct?

Yes, that's right.  :)
Title: Re: Is the mobile onion browser safe?
Post by: b0lixtrader on April 14, 2013, 05:22 pm
Cool cool thank you  :D
Title: Re: Is the mobile onion browser safe?
Post by: livestr0ng on April 15, 2013, 07:42 am
Some people just know so much shit haha. Thanks everybody for posting on my thread. +1 to Wadozo for his/her helpfulness.
Title: Re: Is the mobile onion browser safe?
Post by: 4737Carlin on April 15, 2013, 10:01 am
I'de say yes but I wouldnt use it for orders I use OrBot & Orweb both official gaurdian project apps & it works seamlessly and on my device atleast I can turn java script off but then you wouldnt even be able to login to SR if you turn java off simply because it wont show captch.
Title: Re: Is the mobile onion browser safe?
Post by: b0lixtrader on April 15, 2013, 05:26 pm
I'de say yes but I wouldnt use it for orders I use OrBot & Orweb both official gaurdian project apps & it works seamlessly and on my device atleast I can turn java script off but then you wouldnt even be able to login to SR if you turn java off simply because it wont show captch.
It still shows captcha on phone and desktop version with java off.