Androlyzer

Know more about your apps

App description

Orfox: Tor Browser for Android

info.guardianproject.orfox
Rating:
(4.2)
Downloads: 5,000,000 - 10,000,000
Version: Fennec-52.2.0esr/TorBrowser-7.0-1/Orfox-1.4-RC-3 (10)
by The Tor Project

Orfox is built from the same source code as Tor Browser (which is built upon Firefox), but with a few minor modifications to the privacy enhancing features to make them compatible with Firefox for Android and the Android operating system.Orfox REQUIRES Orbot app for Android to connect to the Tor network.In as many ways as possible, we adhere to the design goals of Tor Browser (https://www.torproject.org/projects/torbrowser/design/), by supporting as much of their actual code as possible, and extending their work into the additional Android components of Firefox for Android.** Also, includes NoScript and HTTPSEverywhere add-ons built in!The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.Learn more at:https://guardianproject.info/apps/orfox* * How is Orfox different than Tor Browser for desktop?* The Orfox code repository is at https://github.com/guardianproject/tor-browser and the Tor Browser repository is here:https://gitweb.torproject.org/tor-browser.git/. The Orfox repository is a fork of the Tor Browser repository with the necessary modification and Android-specific code as patches on top of the Tor Browser work. We will keep our repository in sync with updates and release of Tor Browser.* Orfox is built from the Tor Browser repo based on ESR38 (https://dev.guardianproject.info/issues/5146https://dev.guardianproject.info/news/221) and has only two modified patches that were not relevant or necessary for Android* Orfox does not currently include the mobile versions of the Tor Browser * Button, but this we will be added shortly, now that we have discovered how to properly support automatic installation of extensions on Android (https://dev.guardianproject.info/issues/5360)* Orfox currently allows for users to bookmark sites, and may have additional data written to disk beyond what the core gecko browser component does. We are still auditing all disk write code, and determining how to appropriately disable or harden it. (https://dev.guardianproject.info/issues/5437)* * How is Orfox different than Orweb?Orweb is our current default browser for Orbot/Tor mobile users (https://guardianproject.info/apps/orweb) that has been downloaded over 2 million times. It is VERY VERY SIMPLE, as it only has one tab, no bookmark capability, and an extremely minimal user experience.Orweb is built upon the bundled WebView (Webkit) browser component inside of the Android operating system. This has proven to be problematic because we cannot control the version of that component, and cannot upgrade it directly when bugs are found. In addition, Google has made it very difficult to effectively control the network proxy settings of all aspects of this component, making it difficult to guarantee that traffic will not leak on all devices and OS versions.Orweb also only provides a very limited amount of capability of Tor Browser, primarily related to reducing browser fingerprinting, minimizing disk writes, and cookie and history management. It trys to mimic some of the settings of Tor Browser, but doesn’t actually use any of the actual code written for Tor Browser security hardening.

Analysis results

Malicious code

  • Gain superuser privileges
  • Sideload APK

Privacy leaks

  • User Input to HTTP Header
  • User Input to Network
  • User Input to Socket

Confidential sources

  • Calendar
  • Camera hardware
  • Current Wifi info
  • Local images
  • Location
  • Photo
  • Screenshot
  • User Input
  • Wifi MAC address

Suspicious functions

  • Obfuscation

Permissions

  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.INTERNET
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.VIBRATE
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_EXTERNAL_STORAGE
  • com.android.browser.permission.READ_HISTORY_BOOKMARKS
  • com.android.launcher.permission.INSTALL_SHORTCUT
  • com.android.launcher.permission.UNINSTALL_SHORTCUT

Features used

  • android.hardware.touchscreen

URLs

Other URLs

  • file:///android_asset/
  • http://example.com
  • http://plus.google.com
  • http://schemas.android.com
  • http://www.google.com
  • http://www.mozilla.org
  • https://accounts.google.com
  • https://api.accounts.firefox.com
  • https://app-measurement.com
  • https://app.adjust.com
  • https://csi.gstatic.com
  • https://f-droid.org
  • https://fennec-catalog.cdn.mozilla.net
  • https://firefox.settings.services.mozilla.com
  • https://googleads.g.doubleclick.net
  • https://guardianproject.info
  • https://incoming.telemetry.mozilla.org
  • https://latest.dev.lcip.org
  • https://location.services.mozilla.com
  • https://login.live.com
  • https://login.yahoo.com
  • https://medium.com
  • https://oauth-stable.dev.lcip.org
  • https://oauth.accounts.firefox.com
  • https://play.google.com
  • https://profile.accounts.firefox.com
  • https://readinglist.dev.mozaws.net
  • https://readinglist.services.mozilla.com
  • https://stable.dev.lcip.org
  • https://support.mozilla.org
  • https://token.services.mozilla.com
  • https://twitter.com
  • https://verifier.accounts.firefox.com
  • https://verifier.login.persona.org
  • https://www.facebook.com
  • https://www.googleapis.com
  • https://www.linkedin.com
  • https://www.paypal.com

Version info

APK hash: e6eea425f0fc47f4fafa062b21bc9af306ea8f64
Other versions:
13/1a187cf4fabe79c815bcb780f8438b2120910366
4/72262715a01b25067369f663da75ef6ceb77fda4
3/f539ed36206dc233ca0641ac6868f23a37dab502
3/f539ed36206dc233ca0641ac6868f23a37dab502
1/36656ce69ec7a06b84059ffb64ddbee3ebffbdb4

Source structure


Used libraries

    • Private service binding

    Google Play services

    Google Play services binding library.
    Show details ⇓
    • Open source
    • Utility

    JSON

    Library to encode and decode JSON.
    Show details ⇓
    • Ads

    Google Mobile Ads

    SDK for Google's mobile ad service
    Show details ⇓
    • Open source
    • Utility

    Android support library

    Simplify your development by offering more APIs that you can bundle with your application so you can worry less about platform versions
    Show details ⇓
    • Open source
    • Utility

    Apache HttpClient

    A repackaging of HttpClient 4.2.3 for Android.
    Show details ⇓

APIs used

  • org.apache.http.message
  • android.database.sqlite
  • java.security
  • javax.net
  • android.view
  • java.net
  • java.nio
  • org.apache.http
  • android.view.accessibility
  • android.content.pm
  • java.lang.reflect
  • android.net.wifi
  • javax.security.auth.x500
  • android.provider
  • org.xmlpull.v1
  • org.apache.http.client
  • org.json
  • android.os
  • android.print.pdf
  • android.webkit
  • android.database
  • java.lang.ref
  • javax.net.ssl
  • android.security
  • android.net.http
  • android.net
  • java.util.concurrent.locks
  • android.location
  • android.media.browse
  • android.widget
  • android.util
  • android.graphics
  • java.security.spec
  • java.nio.charset
  • android.hardware
  • java.text
  • org.w3c.dom
  • android.telephony
  • android.service.media
  • android.content.res
  • android.view.animation
  • android.accounts
  • android.transition
  • dalvik.system
  • org.apache.http.entity
  • java.util.jar
  • java.nio.channels
  • java.io
  • android.preference
  • java.util.regex
  • java.lang
  • java.util.zip
  • org.apache.http.impl.cookie
  • android.app
  • android.opengl
  • android.print
  • java.math
  • android.text.method
  • java.util.concurrent.atomic
  • android.media.session
  • android.graphics.drawable.shapes
  • java.security.cert
  • android.hardware.input
  • org.apache.http.params
  • android.text.style
  • android.view.inputmethod
  • android.accessibilityservice
  • javax.crypto
  • android.graphics.drawable
  • javax.crypto.spec
  • android.hardware.display
  • android.graphics.pdf
  • java.util.concurrent
  • android.animation
  • android.text
  • android.media
  • java.util
  • android.text.format
  • java.security.interfaces
  • org.apache.http.client.methods
  • android.content
  • android.renderscript
  • javax.xml.parsers

Other packages

  • com.adjust.sdk
  • com.adjust.sdk.plugin
  • com.googlecode.eyesfree.braille.selfbraille
  • com.jakewharton.disklrucache
  • com.keepsafe.switchboard
  • com.squareup.leakcanary
  • com.squareup.picasso
  • info.guardianproject.netcipher.proxy
  • org.mozilla.apache.commons.codec
  • org.mozilla.apache.commons.codec.binary
  • org.mozilla.apache.commons.codec.digest
  • org.mozilla.apache.commons.codec.language
  • org.mozilla.apache.commons.codec.net
  • org.mozilla.gecko
  • org.mozilla.gecko.activitystream
  • org.mozilla.gecko.adjust
  • org.mozilla.gecko.animation
  • org.mozilla.gecko.annotation
  • org.mozilla.gecko.background
  • org.mozilla.gecko.background.common
  • org.mozilla.gecko.background.common.log
  • org.mozilla.gecko.background.common.log.writers
  • org.mozilla.gecko.background.common.telemetry
  • org.mozilla.gecko.background.db
  • org.mozilla.gecko.background.fxa
  • org.mozilla.gecko.background.fxa.oauth
  • org.mozilla.gecko.background.fxa.profile
  • org.mozilla.gecko.background.nativecode
  • org.mozilla.gecko.background.preferences
  • org.mozilla.gecko.browserid
  • org.mozilla.gecko.browserid.verifier
  • org.mozilla.gecko.cleanup
  • org.mozilla.gecko.customtabs
  • org.mozilla.gecko.db
  • org.mozilla.gecko.delegates
  • org.mozilla.gecko.distribution
  • org.mozilla.gecko.dlc
  • org.mozilla.gecko.dlc.catalog
  • org.mozilla.gecko.feeds
  • org.mozilla.gecko.feeds.action
  • org.mozilla.gecko.feeds.knownsites
  • org.mozilla.gecko.feeds.parser
  • org.mozilla.gecko.feeds.subscriptions
  • org.mozilla.gecko.firstrun
  • org.mozilla.gecko.fxa
  • org.mozilla.gecko.fxa.activities
  • org.mozilla.gecko.fxa.authenticator
  • org.mozilla.gecko.fxa.login
  • org.mozilla.gecko.fxa.receivers
  • org.mozilla.gecko.fxa.sync
  • org.mozilla.gecko.gcm
  • org.mozilla.gecko.gfx
  • org.mozilla.gecko.health
  • org.mozilla.gecko.home
  • org.mozilla.gecko.home.activitystream
  • org.mozilla.gecko.home.activitystream.menu
  • org.mozilla.gecko.home.activitystream.topsites
  • org.mozilla.gecko.icons
  • org.mozilla.gecko.icons.decoders
  • org.mozilla.gecko.icons.loader
  • org.mozilla.gecko.icons.preparation
  • org.mozilla.gecko.icons.processing
  • org.mozilla.gecko.icons.storage
  • org.mozilla.gecko.javaaddons
  • org.mozilla.gecko.lwt
  • org.mozilla.gecko.mdns
  • org.mozilla.gecko.media
  • org.mozilla.gecko.menu
  • org.mozilla.gecko.mozglue
  • org.mozilla.gecko.notifications
  • org.mozilla.gecko.overlays
  • org.mozilla.gecko.overlays.service
  • org.mozilla.gecko.overlays.service.sharemethods
  • org.mozilla.gecko.overlays.ui
  • org.mozilla.gecko.permissions
  • org.mozilla.gecko.preferences
  • org.mozilla.gecko.promotion
  • org.mozilla.gecko.prompts
  • org.mozilla.gecko.push
  • org.mozilla.gecko.push.autopush
  • org.mozilla.gecko.reader
  • org.mozilla.gecko.restrictions
  • org.mozilla.gecko.search
  • org.mozilla.gecko.sqlite
  • org.mozilla.gecko.sync
  • org.mozilla.gecko.sync.crypto
  • org.mozilla.gecko.sync.delegates
  • org.mozilla.gecko.sync.middleware
  • org.mozilla.gecko.sync.net
  • org.mozilla.gecko.sync.repositories
  • org.mozilla.gecko.sync.repositories.android
  • org.mozilla.gecko.sync.repositories.delegates
  • org.mozilla.gecko.sync.repositories.domain
  • org.mozilla.gecko.sync.repositories.downloaders
  • org.mozilla.gecko.sync.repositories.uploaders
  • org.mozilla.gecko.sync.setup
  • org.mozilla.gecko.sync.setup.activities
  • org.mozilla.gecko.sync.stage
  • org.mozilla.gecko.sync.synchronizer
  • org.mozilla.gecko.sync.telemetry
  • org.mozilla.gecko.tabqueue
  • org.mozilla.gecko.tabs
  • org.mozilla.gecko.telemetry
  • org.mozilla.gecko.telemetry.measurements
  • org.mozilla.gecko.telemetry.pingbuilders
  • org.mozilla.gecko.telemetry.schedulers
  • org.mozilla.gecko.telemetry.stores
  • org.mozilla.gecko.text
  • org.mozilla.gecko.tokenserver
  • org.mozilla.gecko.toolbar
  • org.mozilla.gecko.trackingprotection
  • org.mozilla.gecko.updater
  • org.mozilla.gecko.util
  • org.mozilla.gecko.util.publicsuffix
  • org.mozilla.gecko.widget
  • org.mozilla.gecko.widget.themed
  • org.mozilla.javaaddons