The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings.
The Android WebView component upon which Orweb is built, does not pass on the proxy settings for the web page to embedded media players it displays. Additionally, even though the proper API calls are made to turn off all plugins, apparently HTML5 video and audio players not considered plugins, and there is no way to disable them at an API level.
We are currently working to determine which versions of Android these issues occur on. We have a fix implemented that filters all video and audio tag instances out of retrieved content, and on newer versions of Android, that requires a user gesture/tap before media players are loaded.
We expect to have a fix out in the next 24 to 48 hours. In the meantime, if you are using Orweb with the goal of strong anonymity, and not just circumvention or proxying, we advise you to avoid all sites that may include HTML5 video or audio content embedded in the pages, or to just stop using the app all together. Alternatively, you can use Firefox for Android with the Proxy Mobile add-on (load this XPI within Firefox: https://guardianproject.info/releases/proxymob-latest.xpi)
This does NOT affect users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app.
Hope this will not effect on me, as I am using root mode with transparent proxying.
Thanks…
Yes, it will not affect you. Also, it does not affect Firefix with the Proxy Mobile add-on.
Crimenethack
I noticed that even on a rooted device and using transparent proxy and the
tethering option selected in Orbot it still shows your own, mobile isp, ip.
I did not manage to fix this. Only the use of a real VPN works
in this case. We now use both m2m vpn and orbot on our mobile devices.
Bas
does the notification “Transparent Proxying ENABLED” appear? When you say “it still shows your own mobile isp ip”, how are you testing that?
Transparent Proxying definitely works on Android devices with root that have the proper iptables option. Make sure to upgrade to our latest 12.0.5 release.
Hi!
Is there another leak because Orweb is exposing the OS version and device name in ‘user-agent’ string when visting
http://ip-check.info -> Start test
Is there any chance to get this user-agent blocked oder replaced by Tor Browser Bundle string?
Greetz
torifyme
Why does the user-agent string expose browser and os version as well as device name? Website for says orweb sets user-agent so “S2″ but that isn’t the case!
Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the http Stream might be able to insert -tags in order to determine the actual ip of the user.
Unfortunately, it is not a fix we can work around using any standard API.
We are now recommending users switch to Firefox with our Proxy Mobile add-on. Full instructions are here: https://guardianproject.info/apps/proxymob/
fgdsgfdsgdgdg
Are you going to publish an update for the html audio video bug? I think it is a high risk because anyone with access to the HTTP stream or HTML code might be able to insert -tags in order to determine the actual ip of the user. Thank you.
Does the “10 Easy Steps” approach to using firefox address java script vulnerabilities?
Ok so a few questions I use orweb to make sure that I’m connected to tor and FireFox to browse the web well my ip on FireFox ip says its something other then orweb is it still safe and one more thing how safe am I downloading files thru FireFox I’m not rooted don’t know if I will b for some time
Hi Jay! No, your current setup probably isn’t safe. By default Orbot+Orweb doesn’t route all internet through Tor, only Orweb is using Tor. To send Firefox through Tor also, you need to install the mobile proxy addon. Visit this page to find the instructions and the download link: https://guardianproject.info/apps/proxymob/
Remember, you can go to https://check.torproject.org to see if you’re correctly connected to Tor in firefox.
I noticed that Orweb on both Google Play and https://guardianproject.info/releases/ were updated on Nov 29 and 30.
Has this IP leak been resolved in Orweb-release-0.5.1.apk?
We were attempting to fix a bug with Android 4.4, that has made proxy setup not work. However, it was not widely successful, only on some devices.
We are moving towards a new major update with Firefox/Mozilla Gecko as the base, which will fix all the leaks issues, and add a number of improvements on other fronts as well. The only downside is that the app will be 20-30M in size. We should have an alpha release out shortly.
Is Orweb based on Firefox, Android ASOP browser, or some other browser?
Orweb is based on the built-in Android
WebView, and therefore inherits all its limitations. We’ve recently decided that those limitations are too restricting, and Google is moving to its ChromeView anyway, so we have started working on Orfox, a privacy browser based on mobile Firefox.It is based on Android AOSP browser “WebView” component for now. We are moving to Firefox Gecko base shortly.
My IP is only concealed if I use my phone’s data plan. If I am connected to WiFi, it will show that address.
Any news?
Whats the best option,orweb,orfox or firefox + addon?
The latest Firefox v31.0 on Android 4.4 leaks the traffic, even with the proxy mobile (v0.0.10) pointing to a TOR proxy.
This doesn’t matter if the TOR proxy is local (Orb on android) or on a remote machine (Tor on a PC). The leakage happens on the tablet itself.
The leakage is web site specific. For example, a very unobnoxious web site http://www.whatisb-12.com always leaks. Many ad links leak through.
Testing the same scenario with a desktop Firefox does not leak.
You can test this by simply watching your router’s web site visit logs while doing the browsing.
Don’t know how long the leaks have been going on. Searching reports on such a problem yield nothing. It’s been unnoticed for too long.
It seems the problem is Firefox android.
Please see this updated news on Orfox, our new Firefox-based app that does not leak data: https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html
Just want to follow up to add more details of the setup:
Nexus 7: android 4.4.4
Firefox: v35.0 (the latest)
Proxy Mobile: 0.0.10, from theguardianproject
Proxy setting: SOCKS5 only to local:9050 or :9050
DNS: go through socks, enabled
Leakage occurs on many but not all web sites. The web sites do not seem to have usually content e.g. videos.
When using desktop firefox ESR, SOCKS proxy to the same tor, no leakage.
Please see this updated news on Orfox, our new Firefox-based app that does not leak data: https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html
The user agent displayed by http://ip-check.info can be changed from Settings -> User Agent to TorBrowserBundle to be the most generic, however I did noticed at times that the user agent may disclose the device name right when you start Orweb the first time after installation/update.
The bigger issue is the media tags issue though.