New Release: Tor Browser 10.0a8 (Android Only)

by sysrqb | October 8, 2020

Android Tor Browser 10.0a8 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

We are happy to announce the first alpha for Android users based on Fenix 81. The Desktop version was released at the end of September.

Over the last four months we adjusted our toolchains, finished our proxy audit, re-implemented the user interfaces, and fixed a lot of issues that came down on us due to the switch from Firefox 68esr to Fenix.

Tor Browser 10.0a8 ships with Fenix 81.1.2 (see Mozilla's blog post for more information about this new browser). As this is the first alpha version based on Fenix we expect more bugs than usual. Please report them (with steps to reproduce), either here or on Gitlab, or essentially with any other means that would reach us. We are in particular interested in potential proxy bypasses which our proxy audit missed.

Note: We are aware of two reproducibility issues in this version. The first issue is coming from the ordering of symbols. The second issue is due to the order in which supported locales are added.

The full changelog since Tor Browser 10.0a6 is:

  • Android
    • Update Fenix to 81.1.2
    • Update Tor to 0.4.4.5
    • Update NoScript to 11.0.46
    • Bug 10394: Let Tor Browser update HTTPS Everywhere
    • Bug 11154: Disable TLS 1.0 (and 1.1) by default
    • Bug 16931: Sanitize the add-on blocklist update URL
    • Bug 17374: Disable 1024-DH Encryption by default
    • Bug 21601: Remove unused media.webaudio.enabled pref
    • Bug 30682: Disable Intermediate CA Preloading
    • Bug 30812: Exempt about: pages from Resist Fingerprinting
    • Bug 32886: Separate treatment of @media interaction features for desktop and android
    • Bug 33534: Review FF release notes from FF69 to latest (FF78)
    • Bug 33594: Disable telemetry collection (Glean)
    • Bug 33851: Patch out Parental Controls detection and logging
    • Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
    • Bug 33862: Fix usages of createTransport API
    • Bug 33962: Uplift patch for bug 5741 (dns leak protection)
    • Bug 34125: API change in protocolProxyService.registerChannelFilter
    • Bug 34338: Disable the crash reporter
    • Bug 34377: Port padlock states for .onion services
    • Bug 34378: Port external helper app prompting
    • Bug 34401: Re-design Connect screen on Android
    • Bug 34402: Re-design Network Settings Screen on Android
    • Bug 34403: UI changes for "Only Private Browsing Mode" on Android
    • Bug 34405: Re-design about:tor on Android
    • Bug 34406: Re-design onion indicators for Android
    • Bug 34407: Review all Fenix menu items
    • Bug 40001: Start Tor as part of the Fenix initialization
    • Bug 40001: Generate tor-browser-brand.ftl when importing translations
    • Bug 40002: Ensure system download manager is not used
    • Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils
    • Bug 40003: Adapt code for L10nRegistry API changes
    • Bug 40004: Fix noscript message passing for Firefox 79
    • Bug 40005: Modify WebExtensions Menu
    • Bug 40006: "Only Private Browsing Mode" on Android
    • Bug 40006: Add Security Level plumbing
    • Bug 40007: Port external helper app prompting
    • Bug 40007: Move SecurityPrefs initialization to the StartupObserver component
    • Bug 40008: Style fixes for 78
    • Bug 40009: Change the default search engines
    • Bug 40010: Verify Sentry is disabled
    • Bug 40011: Verify Leanplum is disabled
    • Bug 40011: Hide option for disallowing addons in private mode
    • Bug 40012: Verify Adjust is disabled
    • Bug 40013: Timestamp is embedded in extension manifest files
    • Bug 40013: Verify InstallReferrer is disabled
    • Bug 40014: Verify Google Ads ID is disabled
    • Bug 40014: Set correct default Security Level
    • Bug 40015: Modify Fenix Home Menu
    • Bug 40016: Modify Fenix Settings Menu
    • Bug 40016: Update Snowflake to discover NAT type
    • Bug 40017: Audit Firefox 68-78 diff for proxy issues
    • Bug 40018: Disable Push functionality
    • Bug 40019: Ensure missing Adjust token does not throw an exception
    • Bug 40023: Rebase Tor Browser esr78 patches onto 80 beta
    • Bug 40026: Implement Security Level settings
    • Bug 40028: Implement bootstrapping and about:tor
    • Bug 40029: Rebase Fenix patches to 81.1.0b1
    • Bug 40030: Install https-everywhere and noscript addons
    • Bug 40031: Hide Mozilla-specific items on About page
    • Bug 40032: Disallow Cleartext Traffic
    • Bug 40034: Disable PWA
    • Bug 40038: Review RemoteSettings for ESR 78
    • Bug 40035: Maybe hide Quick Start in release
    • Bug 40039: Implement Bridge configuration from Connect screen
    • Bug 40040: Investigate why bootstrapping fails
    • Bug 40041: Implement Network settings
    • Bug 40042: Timestamp is embedded in extension manifest files
    • Bug 40044: Fixup Connect, Onboarding, and Home screens
    • Bug 40048: Disable various ESR78 features via prefs
    • Bug 40054: Search engines on mobile Tor Browser don't match the desktop ones
    • Bug 40058: Hide option for disallowing addon in private mode
    • Bug 40061: Do not show "Send to device" in sharing menu
    • Bug 40063: Do not sort search engines alphabetically
    • Bug 40064: Modify Nighty (and Debug) build variants
    • Bug 40066: Remove default bridge 37.218.240.34
    • Bug 40066: Enable Snowflake on Beta
    • Bug 40066: Update existing prefs for ESR 78
    • Bug 40067: Make date on Fenix about page reproducible
    • Bug 40069: Add helpers for message passing with extensions
    • Bug 40072: Bug 40072: Disable Tracking Protection
    • Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere
    • Bug 40073: Disable remote Public Suffix List fetching
    • Bug 40082: Let JavaScript on safest setting handled by NoScript again
    • Bug 40091: Load HTTPS Everywhere as a builtin addon
    • Bug 40095: Review Mozilla developer notes for 79-81 (including)
    • Bug 40096: Review closed Mozilla bugs between 79-81 (inclusive) for GeckoView
    • Bug 40097: Rebase browser patches to 81.0b1
    • Bug 40098: Initialize torbutton for Geckoview and make sure its features work as expected in Fenix
    • Bug 40112: Check that caching stylesheets per document group adheres to FPI
    • Bug 40119: Update Fenix dependencies for 81.1.2
    • Bug 40125: Geckoview: Expose security level interface
    • Bug 40172: Security UI not updated for non-https .onion pages in Fenix
    • Bug 40173: Initialize security_slider in GeckoView at 4
    • Translations update
  • Build System
    • Android
      • Bump Go to 1.14.7
      • Bug 33556: Add TBB project for android-components
      • Bug 33557: Update Android toolchain for Fenix
      • Bug 33558: Update tor-onion-proxy-library to use toolchain for Fenix
      • Bug 33559: Update tor-android-service to use toolchain for Fenix
      • Bug 33561: Update OpenSSL to use Android NDK 20
      • Bug 33563: Update Tor to use Android NDK 20
      • Bug 33564: Update ZSTD to use Android NDK 20
      • Bug 33626: Add project for GeckoView
      • Bug 33670: Update rbm.conf to match NDK 20
      • Bug 33801: Update Go project to use new Android toolchain
      • Bug 33833: Update Rust project to use Android NDK 20
      • Bug 33927: Add tor-browser-build project for fenix
      • Bug 33935: Fenix's classes5.dex files are not reproducible
      • Bug 33973: Create fat .aar for GeckoView
      • Bug 34011: Bump clang to 9.0.1
      • Bug 34012: Bump cbindgen to 0.14.3
      • Bug 34013: Bump Node to 10.21.0
      • Bug 34014: Enable sqlite3 support in Python
      • Bug 34101: Add tor-browser-build project for application-services
      • Bug 34163: testbuild target is broken for Tor Browser 64 bit
      • Bug 34187: Update zlib to use Android NDK 20
      • Bug 40010: Add nss project for application-services
      • Bug 40011: Add sqlcipher for application-services
      • Bug 40029: Clean-up all projects to remove fennec bits we don't need for fenix
      • Bug 40031: Add licenses for kcp-go and smux.
      • Bug 40039: Remove version_path in nss project
      • Bug 40040: Wire geckoview, application-services, android-components, and fenix together
      • Bug 40054: Adapt build.android script in tor-browser project for fenix
      • Bug 40055: Integrate building Glean in offline mode
      • Bug 40057: Include translations into build process in the fenix world
      • Bug 40058: Build Fenix with tor-android-service and tor-onion-proxy-library
      • Bug 40060: Set Fenix Version Name in build
      • Bug 40061: Remove Android SDK 28
      • Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1
      • Bug 40068: Bump versions for Fenix 81.1.0b1 dependencies
      • Bug 40072: Tor libraries are missing in final .apk after switch to 81.1.0b1
      • Bug 40076: Use our android-components repo on GitLab
      • Bug 40078: Bump Gradle version for Fenix to 6.5.1
      • Bug 40084: Generation of AndroidManifest.xml is not reproducible
      • Bug 40085+40086: classes.dex files are not reproducible in Fenix
      • Bug 40087: Deterministically add HTTPS Everywhere into omni.ja
      • Bug 40088+40117: Use MOZ_BUILD_DATE for extension manifest timestamps
      • Bug 40093: Ensure application-services libs do not include libc networking symbols
      • Bug 40094: Aarch64 fenix rust cross-compilation fails
      • Bug 40095: The pattern for the apk variable in build.android is matching too much
      • Bug 40101: Pick up Fenix 81.1.1
      • Bug 40105: Enhance Gradle dependency script (sort deterministically and exclude .module files)
      • Bug 40106: Support using geckoview as well
      • Bug 40108: android-components does not bundle tooling-glean-gradle archive, only .pom file
      • Bug 40113: Nightly Android should use Nightly branding

Comments

Please note that the comment area below has been archived.

October 08, 2020

Permalink

When will the Android version of the tor 10 browser be released?is android version 10 based fenix?

10.0a8 is based on Fenix. We will release on more alpha version in the coming week (10.0a9), and if that version does not have any more significant problems, then we will release that as 10.0.3 in the coming week.

October 08, 2020

Permalink

Heads-up: "intl.accept_languages" and "intl.locale.requested" are reset on every browser start and will just leak _current device locale_. So either modify them on each and every start or change *device* locale in Android Settings to English (US).

October 09, 2020

Permalink

Analyzed the apk with ClassyShark3xodus:

3 trackers = 475 classes

Adjust
Google Firebase Analytics
LeanPlum

*Adjust
157com.adjust.sdk.

*Google Firebase Analytics
1com.google.firebase.analytics.

*LeanPlum
317com.leanplum.

Please remove this trackers from Tor browser, I definitely don't want Google Analytics in tor browser!