Since Mozilla isn't willing to allow more than 18 pre-selected add-ons on the release and beta channels of Firefox for Android, forks like Iceraven fulfill an unmet need for users who want access to more add-ons, but don't want the occasional instability of the nightly channel.
One thing that is still missing from Iceraven, Mull, etc. is the ability to sideload add-ons that are not published on addons.mozilla.org. Currently, anyone who wants to use a private Firefox add-on that is not suitable to be published on AMO must install v68 of Firefox or v68 of a fork like Fennec F-Droid.
Edit 2: It worked in SmartCookieWeb-Preview. I had to go into about:config and set "xpinstall.signatures.required" to "false" before sideloading the add-on in the settings (Advanced settings > Sideload XPI). I hope this app makes it into F-Droid soon.
How would you install outside AMO on Android? When I click on a link to any .xpi file (signed or not), or navigate to its URL, Firefox just prompts me to download the file with no option to install the add-on. Unlike v68 and earlier, the current version of Firefox for Android (any channel) doesn't offer an action to open the .xpi in Firefox when I open it from my file manager. It doesn't seem to matter whether I have "xpinstall.signatures.enabled" disabled or not.
The other part of the issue is that I don't think I should have to ask Mozilla for permission to use a private add-on in Firefox on my own device, or show Mozilla the source code to the add-on before I can install it. What I do in a web browser on my device is not really Mozilla's business. Mozilla lists privacy as Principle 4 in its manifesto, so I think they should be able to understand this reasoning:
> Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.
I just installed an extension this way recently, so either they disabled this in the last month or so or its still a thing, but gp didn't set things up correctly.
2. If you are on a mobile browser, switch to desktop mode.
3. Tap or click "Add to Firefox".
Results:
- Prompt to install add-on: Firefox v68 (Android), Fennec F-Droid v68, Firefox v95-97 (desktop, all channels)
- Prompt to download .xpi file: Firefox v95-97 (Android, all channels), Iceraven v1.14, Mull v95, Fennec F-Droid v95
The results are exactly the same for any .xpi (signed or unsigned) that I self-host on another website. If you get different results, or if I'm doing it wrong, please correct me.
Still that would leave one of my favourite add-ons out :( (the bypass paywalls one). Mozilla has refused it in their store. Would love to have that one on mobile.
Thanks I'll try it! I had seen that fork before but the main reason for it to exist (specifying the sites in advance instead of allowing all sites) had also been incorporated in the original plugin.
I'm very surprised this one is available in the mozilla catalog and the original isn't.
If you are rooted, you can also force your own add-ons into stable firefox like so:
USER=16201230
COLLECTION=What-I-want-on-Fenix
cd /data/data/org.mozilla.mozilla.firefox/files
curl -o mozilla_components_addon_collection_*.json "https://addons.mozilla.org/api/v4/accounts/account/$USER/collections/$COLLECTION/addons/?page_size=50&sort=-added"
touch -a -m -t 203012300130.00 mozilla_components_addon_collection_*.json
edit: remove fennec fdroid because TIL that it already has the same add-on override that the FF nightly has. So there is no need for this hack if you have fennec.
Tested just now and can confirm that it works. You don't even need root if you are using lineageOS, just enable the root debug shell in android settings.
Fennec exists and its already on the F-Droid. Goals are different but probably close enough.
The biggest thing I miss is full add-on support. Not having CleanURLs and an AMP redirector suck despite add-ons existing for desktop that don't really need a mobile UI.
What are HN's thoughts about the security of F-Droid? I always see neat app ideas like the one in the parent comment, but I've been afraid of what I don't know security wise.
Everything being built centrally and transparently by an established group puts it leagues ahead of any other app store in my mind. Installing other people's software will always be a potential security problem, but that is unavoidable now.
As trustworthy as any Linux distro repository. Which is to say, everything built from public sources, and much of it patched and audited. I'm very grateful for F-Droid.
It's a poor idea to blindly assume anything you're capable of installing must be fine. That's been true for thirty years, whether you're talking about F-Droid, the Play Store, or Windows 98 and a downloaded executable. I had no problem taking a few minutes to think about what I was doing back then and I still don't.
One of the important Android security features is the signature enforcement model. All Android apps must be signed, and the OS will refuse to install updates to an app if the signature doesn't match the currently installed version. [1] On the Play Store, apps are signed by each individual developer. Consequently, as long as the APK file distributed by the Play Store was not compromised at the time of initial install, this security feature guarantees that any updates distributed through the Play Store are coming directly from the app developer and have not been modified by Google or any other party. (Play Store, Play Services and the other system-level Google apps have a wide array of scary permissions, so you should assume it's still possible through some convoluted "backdoor" method. That's a separate discussion, though.) You can also check the signature of any app on your phone manually using a tool like Checkey [2], or by extracting the APK file and using apksigner from the Android SDK.
F-Droid sort of breaks the signature enforcement model because apps on F-Droid are signed by the F-Droid server, rather than the individual app developers.
If you trust the app developer (as you should, especially with proprietary software, but also with complex/harder-to-audit open source software like web browsers), the "developers sign their own apps" model is probably ideal. Android's strict sandbox and permission model reduces the amount of trust you need to place in individual developers anyway.
On the other hand, if you trust F-Droid, you can be reasonably confident that the APK file you receive from F-Droid corresponds to the source tarball from F-Droid, and you can inspect the source to verify that the APK doesn't contain malware. Additionally, the F-Droid team manually reviews the source code for each app before approving it. But keep in mind that if F-Droid were compromised, it would be easy to sneak malware into any app on the store.
Overall, I would trust F-Droid for most purposes and think it's probably a better place to install apps than the Play Store. I still prefer APK files signed directly by the original developer for critical apps like Signal. In fact, one of the reasons Signal isn't on F-Droid is because the developer doesn't believe it provides enough security. [3] You can download the Signal APK from their website rather than from the Play Store, and it even has an auto-updater built in.
Indeed. I wonder why Mozilla insists on making it as difficult as possible to sideload extensions on Firefox for Android. I understand compatibility concerns, but surely requiring the user to enable a hidden menu option and click through a warning screen is adequate?
For half of what CleanURLs does, you can use uBlock Origin. It has a filterlist that removes tracking parameters, etc. It will not however clean links on copy.
The way supported add-ons work right now is that there's a list (AKA a collection) of supported add-ons maintained by Mozilla that you see on a phone by default.
They allow direct installs of add-ons that they know were tested properly and work fine on a phone, not those where they can't guarantee that level of stability (while still giving you that as an option if you feel like experimenting).
I don't see how that's arbitrary, I see it as a well thought out process, even if I wish more add-ons were added to that collection.
I agree that there should be more allowed add-ons. Engineering didn't put in all the effort to implement the add-ons APIs on Mobile only for it to be restricted to such a small set. Unfortunately that's a product decision.
> he way supported add-ons work right now is that there's a list (AKA a collection) of supported add-ons maintained by Mozilla that you see on a phone by default.
They're not maintained by Mozilla, but they're "recommended" and are reviewed more thoroughly.
Unfortunately it seems that at some point they've also talked themselves into believing that continuing to run add-ons within the main browser process has suddenly become the height of irresponsibility and absolutely and totally unsafe, so a few add-ons are grudgingly permitted with additional scrutiny given during review, but
- they don't want expand that process further, because it's counter to the direction that AMO has been moving (from manual pre-publication review of all public add-ons towards automated checks and only manual post-publication spot checks)
- running add-ons in a separate process as on Desktop isn't possible, because on Android secondary processes can get killed at any time, which add-ons aren't set up to handle correctly
For some reason I've only seen this explanation buried somewhere inside some Mozilla's Discourse forum (I think, if I remember correctly), but I think not much (if at all) as an explanation in the Github issue tracker and certainly never on the official Add-ons blog.
Though I have to admit that even if the above explanation was given a wider airing, for me it already smacks too much of "the safest computer is one you never turn on" and I'd still be unhappy about the add-ons situation and continue complaining.
> running add-ons in a separate process as on Desktop isn't possible, because on Android secondary processes can get killed at any time, which add-ons aren't set up to handle correctly
That's true (though it will probably improve as WebExtensions evolves toward service workers), but engineering wasn't hung up on that.
On the engineering side, there aren't any good reasons. Engineering didn't put in all the effort to implement the add-ons APIs on Mobile only for it to be restricted to such a small set. It's product management's decision.
Yep, I use this to get vimium-FF on Fennec. It's a little fiddly to setup but it's just another item on the long list of tweaks to make Android tolerable.
If you just want extension support without a whitelist, Firefox Nightly for Android lets you supply a custom list of extensions (called an AMO) which you can add any extension to.
It's a bit inconvenient but you only need to do it once. I like Kiwi as well and it seems to get frequent updates now, at least as github releases (play store version is updated less often).
The question is, why I would want to install a nightly just for add-ons?
To my knowledge you f.e. need an add-on to block a specific cookie, because FF Android doesn't have this option...
The question is when/if the product manager at Mozilla will realize the state of the browser at some point :/
I can just say that as far as I am concerned, the only thing that is keeping me with FF Android is the vendor lock-in with FF Sync.
Thats a lot of fragile manual steps, not to mention needing a user account and being dependent on Mozilla infra. Hardly straightforward + not to mention addons on Android Firefox overall still barely working in the new Android version, with no visible progress to fix that.
I loved this idea, but it doesn't seem to work for me. I can browse a long list of extensions at this collection on the web [0], but FF Nightly only shows a small subset of them.
I've gone the opposite direction and installed Firefox Focus.
I found myself accumulating 100s of tabs that I would supposedly get back to, and it was causing anxiety. Firefox focus is ephemeral and your tabs will disappear. It doesn't permanently store cookies. It has a built in ad blocker. It's perfect to keep me "focused" on the task at hand.
I use incognito for most browsing, every so often I lose my tabs. And it is ok. If I care, and remember the site, I'll open it normally and make a bookmark. If not it isn't the end of the world.
I keep about 20 tabs open in normal browsing for easy reference. Incognito for most browsing. And Firefox Focus for even more ephemeral stuff, copied links I don't want to touch my other browsing, and screenshots. It sounds a little crazy to write it out, but it works for me.
Tabs, collections, bookmarks, and top sites UX is really messed up on Firefox Mobile.
There's this home screen that is central in the UX that lists top sites and collections and that is the primary way to open things you frequently access. If you have zero tabs or open firefox mobile, that's the screen you see first.
However, I stopped using collections because they somehow got it in their heads that the user wants to add a specific, cached version in time of a website. So I add HN to a collection and then access it and I get a 3 month old version of HN because that's when I added it. That probably makes as much sense to me as it does to you. You can reload the page as "fix". Collections are not bookmark folders. They are not synced as part of your bookmarks. They are not accessible on desktop. They are mobile only. They are completely useless as far as I'm concerned. If you make the mistake of using them, get used to stale content or obsessively refresh every tab manually right after you open it. Seriously WTF?!
Because they have that broken/half assed collection concept in the UX, bookmarks are not very prominent and accessing them is unnecessarily hard. Bookmarks are actually synced and you can access your desktop bookmarks that way. But you have to dive deep into a menu to access them and adding new bookmarks is basically not supported: you can't "star" them like you would on the desktop version. There is no option to add a bookmark for the website you are looking at that is obvious to me other than actually going to the bookmark manager and creating a bookmark by manually copy/pasting the url from the url bar.
As an alternative you can add websites to "top sites", which are not bookmarks (why?!), which is not part of a collection, and which are also not synced. But at least they show you the current version of a web site. Conceptually it's kind of exactly the same as the bookmark toolbar in the desktop version. If you click a top site, it opens a new tab. Always. This is annoying.
I still use it because I like having a working ad blocker and at least some basic protection against google tracking everything I do. But the UX is not a selling point right now. I've used a lot of browsers and mobile browsers over the years and this is probably the worst one in terms of bookmarks, which is a basic feature that even Mosaic had back in the day.
Simple obvious fix: Deprecate collections and replace them with bookmark folders. Implement starring/bookmarking (how is that not a thing?). Make top sites just another bookmark folder (just like the desktop bookmark toolbar). Make collections sub folders of those. It all syncs. It all works.
That also opens the door to supporting firefox containers, which I love and use all the time on desktop. I'd love to have full access to that on mobile.
> but you have to dive deep into a menu to access them and adding new bookmarks is basically not supported: you can't "star" them like you would on the desktop version.
Are you sure you're on the latest version? I'm on the latest version, and when I press the 3 dots next to the URL bar, I can 'star' it (create a bookmark) from there, bookmarks are shown on the firefox-'homescreen'
About a year ago, I used to use Iceraven but I switched back to FF nightly when support for custom addons list was added back.
Even though I like the project, I consider that it's what FF for Android should have been, I returned to FF because nowadays a browser needs frequent security updates and Iceraven is not staffed to have frequent releases.
It's a shame that this is the case for 99% of alternative browsers and forks. Sometimes I think the only solution would be to embrace something like Gopher, where hostile sites aren't feasible and browsers are free to diversify without constant maintenance.
That's possible. Install Firefox Nightly, create a custom addon collection on the Firefox addon site, add an user agent switcher to the collection, add the collection to Firefox Nightly. You now owe me a parade.
Does "more add-ons" mean it's still a whitelist? I'm trying to find a mobile browser I can use floccus with. So far I've only been able to find Kiwi which is not privacy oriented.
Perhaps offtop, Is there at least 1 browser for Android that supports per-page zoom? Safari does it on iOS with a super simple setting, but the only way to increase font size in ANY of Android browsers is to increase scale in Accessibility which will break some websites with larger fonts. I feel like this is super basic feature that I can't find.
All I want is a browser with text reflow that's as good as Opera's, that's also not Opera. It's apparently a tall order and not many people ask for it, I wish I had enough time to do it myself or to make it part of my job but alas. Opera it is for the foreseeable future.
Do the new configuration options allow accessing the list of trusted CAs? Or if doubting the CA trust decisions from our Mozilla overlords is considered too much blasphemy, can we at least see details of the certificate for the current site?
Containers in Iceraven, somebody got them working? How can I open a new container tab? I cannot figure out on how to use them on this mobile browser. Maybe this extension + a mobile Firefox is not compatible to each other.
To use a stable version of Firefox with about:config and more than the ten addons that Mozilla have supported in the last two years.
I'm not sure if this is the fork you want, but to get some of the features that Firefox used to have for years you can't use the normal stable build anymore.
It mentions that it is an alpha version - that's why the long list of caveat. And as Firefox becomes a spyware / adware, forks like these are welcome news.
One thing that is still missing from Iceraven, Mull, etc. is the ability to sideload add-ons that are not published on addons.mozilla.org. Currently, anyone who wants to use a private Firefox add-on that is not suitable to be published on AMO must install v68 of Firefox or v68 of a fork like Fennec F-Droid.
Edit: In one of the Iceraven issues on GitHub (https://github.com/fork-maintainers/iceraven-browser/issues/...), someone recommended a Firefox for Android fork called SmartCookieWeb-Preview for sideloading .xpi add-on files into Firefox from arbitrary URLs: https://github.com/CookieJarApps/SmartCookieWeb-Preview/. The preview app is not available on F-Droid yet, but I'm going to try it out.
Edit 2: It worked in SmartCookieWeb-Preview. I had to go into about:config and set "xpinstall.signatures.required" to "false" before sideloading the add-on in the settings (Advanced settings > Sideload XPI). I hope this app makes it into F-Droid soon.