Two Tor Browser Apps in the App store

There are two tor browsers on the app store. One is full of trackers and calls itself “official”, the other " seems" legit (i think i found it on fdroid, too)

I don’t really understand the process apps go through to end up in your store (being the newcomer that i am), but it is concerning to find obvious scam apps, especially something so sensitive as Tor

Is there a way to trace the origin of an apk on your store?

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

2 Likes

I (re)installed Tor Browser version 10.0.12 (86.1.0-Release) which I downloaded from F-droid. It comes from the Guardian Project official release.

I then used Warden to check it for trackers, and much to my surprise, the result was this :

Does anyone know what Adjust, Google Firebase Analytics and LeanPlum do as trackers ? Are those false positives ?

Thanks !

I have also seen that there are 2 apps.

This is from Tor project’s homepage
https://tb-manual.torproject.org/mobile-tor/
https://support.torproject.org/tormobile/tormobile-7/

Hope it can help you finding the correct one!

1 Like

I went on the Tor Browser official website, and downloaded the apk directly from there. I then verified its signature, which yielded a “good signature” result, which means I got the exact .apk file the Tor project intends users to get. Finally I used Warden again, and found that the same 3 trackers are also present.

After a bit of online digging, I found that the Adjust SDK tracker seems to have this role : "The intention is to determine the origin of Fennec [i.e Firefox Mobile] installs by answering the question, “Did this user on this device install Fennec in response to a specific advertising campaign performed by Mozilla?”

The leanplum tracker seems to come from (wait for it) Leanplum, whose business is “multi channel customer engagement”. I also found this page, “start tracking with Leanplum”, which does not, to say the least, look good.

Finally, according to this site, “Google Firebase is a Google-backed application development software that enables developers to develop Android, iOS, and Web apps. Firebase provides tools for tracking analytics, reporting and fixing app crashes, and creating marketing and product experiment.”

I want to make it clear that what I found online may be not be accurate, please correct me if something seems wrong. The fact that there is a Google tracker in the Tor Browser is enough to not use it on my phone. I suppose those trackers come from the Firefox app and were not yet removed by the Tor Project.

1 Like

Wow, great research!

As soon as I noticed trackers, I thought this is something coming from a third party who bundled the pristine tor browser with trackers for whichever reason. But, your assumption may be correct, though it is also weird that mozilla itself bundles firefox with trackers. Did you confirm this, or is it still an assumption?

I myself use tor app from f-droid.

1 Like

Here’s a screenshot showing which trackers are present in the official Firefox for Android app :

They are the same as those in the Tor Browser app, with the addition of the Google AdMob tracker. My assumption seems to gain some strength.

However, I do not know enough about trackers and how apps function to know if the fact that the trackers are present means that they are active in the Tor Browser.