
Onion Browser (iOS Tor web browser, open source) now available in the App Store - mtigas
http://v3.mike.tig.as/onionbrowser/
======
ScottWhigham
Very cool - just bought.

One confusing thing I found is that, when I typed in "onion browser" into my
iPhone's App Store Search field, three results came back. I found myself not
really know which one was truly yours (yours was actually #2 search result).
It would have been helpful if, in the screenshots on this page, you showed the
logo. The logo is shown in the App Store so that would've made it a slam dunk,
easy decision.

~~~
mtigas
Thanks for the heads up — deploying a new version of the product page that has
a version of the icon in the header.

------
kijin
Just a heads up: Tormail.net (in the last screenshot) is now Tormail.org.
Whoever runs the service was apparently foolish enough to transfer their non-
Tor domain to a Russian registrar. It's disappointing that someone who claims
to care about privacy doesn't check RSF's press freedom index before choosing
a country to register their domain in.

[https://opusmagnus.wordpress.com/2012/04/21/tormail-net-
has-...](https://opusmagnus.wordpress.com/2012/04/21/tormail-net-has-moved/)

------
schwanksta
Just bought it and it works very well. And it's open source, which is
refreshing for an app store app.

~~~
masonlee
It would be sweet for trusted computing if developers were able to submit
source directly to an app store for the app store to compile, sign, and make
available along with the binaries.

~~~
samstave
Call it Git-y-app.

------
pooriaazimi
I bought it right away (I could've built it myself, but didn't feel like
opening Xcode). It doesn't work unfortunately (I'm in Iran).

~~~
mtigas
I’ll make it a priority to allow using bridges. Unfortunately, since Iran is
known to block pretty much all Tor access (even regular, unlisted bridges), it
may still not work.

Getting around this entirely would require obfsproxy[1] which wouldn’t work on
iOS the way I have it set up due to the inability to spawn sub processes. (Tor
client, when configured to use obfsproxy bridges, has to spawn an obfsproxy
process to handle the obfusctaed traffic.)

[1]: <https://www.torproject.org/projects/obfsproxy.html.en>

------
richbradshaw
For people trying to build, just a few things to know:

I had to install ccache before libssl would compile. Make sure you build
libssl before libevent. In the icons folder is a install script to download
the icons.

Otherwise compiles well. The anonymity of the .onion sites scares me. I have a
very strong suspicion that one day SSL (i.e. symmetric encryption with no
backdoor) will be illegal in many countries.

~~~
Aloisius
_The anonymity of the .onion sites scares me._

The content of a lot of .onion sites scares me. Definitely a higher
concentration of crazy than I'm used to on the internet.

~~~
PaperclipTaken
This is one of the big problems that most people have with anonymity, but I
believe that the freedom of speech is important. If the government has the
capability to shut down the scary stuff like child porn, it also has the
ability to shut down important stuff like criticism.

These corners of the internet aren't pretty but they play an important role
within our society.

~~~
woodall
I might have read your comment wrong but are you

a) comparing child pornography to political criticism

b) saying that it "play[s] an important role within our society".

Can you elaborate?

~~~
PaperclipTaken
Sorry that's not how I meant to state it.

It's not the child pornography that is important to society. It's the freedom
of speech, and the security that speech has against regulation from the
government. Tor is a place where a person can securely make any sort of
criticism that they want, and that security is important.

An unfortunate (but unavoidable) side effect of that security is that child
pornographers also receive the same security.

------
josyw
Not very sure if this is by design/expected, but capturing packets from a
freshly booted iPad seems to indicate that the browser leaks DNS queries and
HTTP GET requests when visiting YouTube through this browser. I am
transmitting outside the tunnel

1) DNS query to YouTube cache server 2) GET request to Google's servers for
/videoplayback

This seems isolated to the QuickTime player only. No other DNS queries or
traffic appears to be visible. I suggest you warn users that video playback
does not go through the tunnel.

~~~
mtigas
Ah crap, hadn’t tested video player too. Will note that, thanks.

------
nthitz
Wow I'm a little surprised Apple let this one through! Looks neat!

~~~
mtigas
There’s another one (Covert Browser) that’s been in the store since November
that’s got a few issues (lack of cookie support, lack of POST support) that
render a lot of websites useless.

Generally I don’t think this is (on the face) any worse than a regular third-
party browser app: Other apps (games are a great example) are free to
implement custom communication protocols and there are plenty of unsavory /
underground / illicit websites on the regular internet. Tor has a lot of
legitimate and illegitimate uses, but that can pretty much be said of web-
based communication in general.

~~~
showerst
Just chiming in to say nice work Mike, and that it's nice to see another
former Plus-One'r around these parts =)

------
ja27
Anyone else trying to build it? Getting an error from the build-libssh.sh
after openssl-1.0.1.tar.gz is downloaded:

tar: Code/iOS-OnionBrowser/build/src: Not found in archive

~~~
mtigas
What OS X and iOS SDK are you running with? You mind filing a bug if you have
a GitHub account? <https://github.com/mtigas/iOS-OnionBrowser/issues>

I might have some dependencies that I’ve neglected to mention (since I use
homebrew a ton) and I’m trying to nail down the build scripts to be a bit more
portable.

~~~
ja27
It was spaces in the path to where I was trying to build from. Breaking
scripts for decades. It's building now.

------
nextparadigms
Is it compatible with Apple's policies? I thought they don't allow open source
apps in the appstore. Or is that only for the GPL license?

~~~
178
It depends who puts it in the store. The author still has all the rights to
the software no matter if he puts it under GPL, but puttng it under GPL
doesn't give anyone else the right to sell it in the app store.

Edit: Also, the app in question is under MIT and the used libraries under
various permissive licences ([https://github.com/mtigas/iOS-
OnionBrowser/blob/master/LICEN...](https://github.com/mtigas/iOS-
OnionBrowser/blob/master/LICENSE)).

------
mike-cardwell
For people with Android phones, check out Orbot -
<https://guardianproject.info/apps/orbot/> \- It's Tor for Android. It's an
incredibly well polished app. If you have root, it will let you individually
and transparently torify _any_ app. If you don't have root, individual app
will need to support socks proxies in order to go through Tor.

It supports bridges, and it will even let you run a relay and/or hidden
service directly from your phone.

I've had this idea for a while now of building an SMS-like app that runs
entirely over hidden services for users with Orbot installed. If I send you a
message this way, nobody knows that you received one, that I sent one, or what
the message contained, and it wouldn't require me to set up any server
infrastructure as it would be entirely peer to peer over Tor.

------
redthrowaway
What's the speed like? Tor on my laptop ranges from slow to unusable; I assume
the same is true of the iOS app?

~~~
evoxed
What exactly do you consider slow? Most recently I was getting a consistent
500kB/s downstream on my laptop [edit: while grabbing some rather large PDFs,
so continuous downloading]. I've yet to give it a go on iOS.

~~~
redthrowaway
Perhaps it's gotten better lately, but I found browsing with Tor last time I
did it to be painfully slow, with some pages taking forever to load. Didn't
run a speedtest, though.

~~~
jmspring
In general, your experience with Tor/Onion routing, will be wholly dependent
upon the path setup for your requests. I've been using Tor on and off for
years, sometimes experiences are good, sometimes they aren't.

If you are looking for a general approach to obscure your browsing from an
employer's network, but don't need the whole feature set of Tor, you are
better off setting up a proxy to a remote machine. If you truly need the
greater anonymizing of Tor and are willing to take possible latency / speed
impacts, do so. Just don't expect it to be optimal for the first case when
doing general browsing.

It is great to see the Onion Browser available so readily/easily.

------
bonjourmr
Somewhat slow here in Aus using Telstra 3G, 45 seconds to connect to TOR
network and about 7-12 seconds to return search results form DDG. Good app
though and am looking forward to browsing in privacy, thanks.

~~~
bonjourmr
After having the app in the background for a few hours, I tried to use it to
browse again but nothing happening. I had to force close the app and restart
it to be able to use it. Is this normal and, if not, is this a known issue
that is going to be corrected? Edit: in fact, it seems to do this as soon as
my phone times out into auto-sleep :/

~~~
mtigas
This is the biggest glaring bug on the app right now.[1] Doesn’t seem to
always affect the app (~30% of the time) when backgrounding to another app or
if the phone is manually locked, but more regularly (>75%) happens when the
phone idle sleeps.

I’m trying to nail this down, but it’ll likely take me some time to find a
real fix.

[1]: <https://github.com/mtigas/iOS-OnionBrowser/issues/2>

------
frou_dh
Hey, thanks! I like having this on an "appliance-like" device like the iPad
because the app is necessarily self-contained and I don't have to worry about
it making system-level changes or unwanted interactions with other software.

------
d4sh
Only available in the US, too bad.

~~~
mtigas
Actually: should be available everywhere except France right now. (Selling
encryption apps to France apparently requires an "export compliance approval"
from the French government, and I haven’t gone through that process yet —
primarily because I don't speak French.)

Let me know if that's not the case and I’ll double-check my settings in iTunes
Connect.

~~~
d4sh
Well, it seems I should have said "not available in France", sorry for the mix
up, I only checked French and US stores.

~~~
mtigas
No need to be sorry — a good reminder that I should mention that somewhere
since it’s a strange quirk of legality that affects literally _one_ App Store
country. Thanks!

