Hi,
Below is the current (rough) roadmap and outline of Tor Browser for Android. There remains some uncertainly of some aspects (and timing), but we should be able to make some decisions in Rome.
(Igor, sorry if you wanted to make additional changes - we can continue modifying it this next week)
Thanks, Matt
---------------------------------------------------------------------
The Tor Browser for Android Design Proposal and Roadmap
0. Introduction
Tor Browser for Android, from here on referred to as TBA, is a new implementation of Tor Browser targeted at recent Android platforms. In addition to the existing implementation, where Tor Browser is supported on Microsoft Windows, Apple OS X, and Unix-like systems, Tor Browser for Android will provide similar functionality on Android.
Currently Tor Browser is based on the most recent Mozilla Firefox ESR. Unfortunately, Mozilla does not support an ESR for Firefox for Android, therefore TBA must follow the most recent Mozilla Firefox releases. This reduces the risk introduced by using vulnerable and unsupported code, and allows leveraging Mozilla's teams for support.
Tor Browser for Android will provide an implementation of the Private Browsing Mode, as documented in the Tor Browser Design[0]. Currently, the Guardian Project maintain and support Orfox as the initial implementation of TBA. The goal is using Orfox as a base and improving upon it such that TBA obtains privacy, security, and usability parity with Tor Browser (for Desktop).
1. Roadmap
Over the following one year, we will work toward this goal. If we divide this time frame into quarters, we can set expectations for what will be accomplished.
In Q1 2018:
- Orfox patches will be reviewed and merged into tor-browser.git - Porting Torbutton for TBA will begin. - Porting TorLauncher for TBA will begin - Rebasing TBA patches onto Firefox for Android 60 will begin - A new version of Orfox will be released in parallel with Tor Browser, based on ESR 52.6 - XXX Discuss in Rome with TGP, coordinating releases
In Q2:
- Add TBA into tor-browser-builder and eliminate reproducibility issues - Continue porting Torbutton and TorLauncher including implementing mobile-UI - UI design discussions will take place in Rome - Investigate mobile-specific fingerprinting vectors - Release Orfox updates in parallel with Tor Browser
In Q3:
- TBA is fully reproducible - Release first version of TBA (alpha?) (probably based on Firefox for Android (Fennec) 60) - XXX We can considering coordinating this with an announcement at HOPE XII in July - Begin auditing GeckoView and Mozilla Focus implementation as upstream of TBA - Focus has different "look and feel", evaluate UX impact
In Q4:
- Release first version of TBA with TorLauncher integration
2. Design
Tor Browser for Android will adhere to the Tor Browser design requirements[0] and it will maintain the same adversary model with increasing adversary capabilities. The user interface restrictions present on Android platforms introduce additional obstacles and require re-design and re-implementation of some existing Tor Browser features. However, the end result is maintaining the same "look and feel" on desktop and Android.
3. Adversary Capabilities - Attack
a. Read and change Tor configuration variables through the Tor Control protocol. - An adversary (malicious application) could access the Android IPC mechanism and change the configuration values.
4. Additional Information
- Supported Android versions - Android 6 and above.
5. References:
On Fri, Mar 9, 2018 at 5:54 PM, Matthew Finkel matthew.finkel@gmail.com wrote:
Below is the current (rough) roadmap and outline of Tor Browser for Android. There remains some uncertainly of some aspects (and timing), but we should be able to make some decisions in Rome.
Exciting to see this roadmap! I think one thing that would be useful to include in this document is: what features are required for a minimum viable product (MVP-alpha and MVP-stable)? Probably it's best to frontload implementing those features and postpone everything else. For example, maybe for the first MVP-alpha it's OK not to have new mobile fingerprinting protections, circuit display, pluggable transports, and reproducibility (just hypothetically). I think it will be helpful to have an alpha out as soon as possible.
- Begin auditing GeckoView and Mozilla Focus implementation as upstream of TBA
Perhaps we should doing a preliminary audit of GeckoView and Focus now instead of Q3? Naively, I imagine the way GeckoView and Focus are implemented may have important considerations for how we build TBA. It would be a pity if we have to re-do work because the current TBA design ends up being incompatible with GekoView and Focus.
- Focus has different "look and feel", evaluate UX impact
Again, I think it would be good to look at the UX now rather than after a first UX has been implemented.
In Q4:
- Release first version of TBA with TorLauncher integration
Does this mean TBA-alpha or TBA-stable?
On Fri, Mar 09, 2018 at 07:46:18PM +0000, Arthur D. Edelstein wrote:
On Fri, Mar 9, 2018 at 5:54 PM, Matthew Finkel matthew.finkel@gmail.com wrote:
Below is the current (rough) roadmap and outline of Tor Browser for Android. There remains some uncertainly of some aspects (and timing), but we should be able to make some decisions in Rome.
Exciting to see this roadmap! I think one thing that would be useful to include in this document is: what features are required for a minimum viable product (MVP-alpha and MVP-stable)? Probably it's best to frontload implementing those features and postpone everything else. For example, maybe for the first MVP-alpha it's OK not to have new mobile fingerprinting protections, circuit display, pluggable transports, and reproducibility (just hypothetically). I think it will be helpful to have an alpha out as soon as possible.
Yes, I think this is part of the discussion we should have on Sunday. I was hesitant to put too many details about what we need for an MVP. There are certain required characteristics for something we are comfortable calling "Tor Browser". Personally, I think reproducibility is now an essential quality of a stable release, but maybe we (as a team) are comfortable releasing an alpha version that is not reproducable.
I don't foresee us having enough time for investigating fingerprinting within the next 6 months such that we can evaluate many of the new vectors. We should be able to investigate the currently-known desktop vectors, but the various additional sensors and APIs (?) may add complexity. I haven't looked into this enough at this point.
I know we'll have a discussion about implementing the mobile UI this week, and I think we'll have a better understanding of how much work and time this piece will require. All of these are good points, and I think we should keep them in mind as we work on the larger roadmap.
- Begin auditing GeckoView and Mozilla Focus implementation as upstream of TBAPerhaps we should doing a preliminary audit of GeckoView and Focus now instead of Q3? Naively, I imagine the way GeckoView and Focus are implemented may have important considerations for how we build TBA. It would be a pity if we have to re-do work because the current TBA design ends up being incompatible with GekoView and Focus.
I think there are two goals we have and we should take into account. The first is the current funder. As much as I dislike saying this, we only have a limited amount of time and a relatively tight timeline for shipping this. The second goal is the long-term maintainability and not implementing something now that we know we'll re-implement later after Fennec goes EOL.
I absolutely agree re-doing working will be a shame, and we can prioritize evaluating Focus, but that will delay releasing the Fennec-based version.
- Focus has different "look and feel", evaluate UX impactAgain, I think it would be good to look at the UX now rather than after a first UX has been implemented.
They are very different, I don't know if we can easily reconcile that or design a UI/UX that matches both schemes. We can definitely keep this in mind, though, as we discuss and work on it.
In Q4:
- Release first version of TBA with TorLauncher integrationDoes this mean TBA-alpha or TBA-stable?
I'm hoping this will be TBA-stable (including Tor Launcher), and we'll have a TBA-alpha earlier in the year (mostlikely still depending on Orbot).
-
Arthur D. Edelstein -
Matthew Finkel