Hacker News new | comments | show | ask | jobs | submit login
Onion Browser (iOS Tor web browser, open source) now available in the App Store (tig.as)
123 points by mtigas 1886 days ago | hide | past | web | 49 comments | favorite

Very cool - just bought.

One confusing thing I found is that, when I typed in "onion browser" into my iPhone's App Store Search field, three results came back. I found myself not really know which one was truly yours (yours was actually #2 search result). It would have been helpful if, in the screenshots on this page, you showed the logo. The logo is shown in the App Store so that would've made it a slam dunk, easy decision.

Thanks for the heads up — deploying a new version of the product page that has a version of the icon in the header.

Just a heads up: Tormail.net (in the last screenshot) is now Tormail.org. Whoever runs the service was apparently foolish enough to transfer their non-Tor domain to a Russian registrar. It's disappointing that someone who claims to care about privacy doesn't check RSF's press freedom index before choosing a country to register their domain in.


Just bought it and it works very well. And it's open source, which is refreshing for an app store app.

It would be sweet for trusted computing if developers were able to submit source directly to an app store for the app store to compile, sign, and make available along with the binaries.

Call it Git-y-app.

bought it right away as well. confirm it doesn't work. just moved to ir couple of days ago and internet's been a nightmare!

I bought it right away (I could've built it myself, but didn't feel like opening Xcode). It doesn't work unfortunately (I'm in Iran).

I’ll make it a priority to allow using bridges. Unfortunately, since Iran is known to block pretty much all Tor access (even regular, unlisted bridges), it may still not work.

Getting around this entirely would require obfsproxy[1] which wouldn’t work on iOS the way I have it set up due to the inability to spawn sub processes. (Tor client, when configured to use obfsproxy bridges, has to spawn an obfsproxy process to handle the obfusctaed traffic.)

[1]: https://www.torproject.org/projects/obfsproxy.html.en

For people trying to build, just a few things to know:

I had to install ccache before libssl would compile. Make sure you build libssl before libevent. In the icons folder is a install script to download the icons.

Otherwise compiles well. The anonymity of the .onion sites scares me. I have a very strong suspicion that one day SSL (i.e. symmetric encryption with no backdoor) will be illegal in many countries.

Hm, tried to fix the ccache requirement[1][2], but might have botched it. Was using ccache while I was originally developing to speed up the dependency compilation but didn’t intend for it to be a requirement, just an optional speed-up. Will take a look.

[1]: https://github.com/mtigas/iOS-OnionBrowser/blob/master/build... [2]: https://github.com/mtigas/iOS-OnionBrowser/commit/68a92f488b...

The anonymity of the .onion sites scares me.

The content of a lot of .onion sites scares me. Definitely a higher concentration of crazy than I'm used to on the internet.

This is one of the big problems that most people have with anonymity, but I believe that the freedom of speech is important. If the government has the capability to shut down the scary stuff like child porn, it also has the ability to shut down important stuff like criticism.

These corners of the internet aren't pretty but they play an important role within our society.

I might have read your comment wrong but are you

a) comparing child pornography to political criticism

b) saying that it "play[s] an important role within our society".

Can you elaborate?

Sorry that's not how I meant to state it.

It's not the child pornography that is important to society. It's the freedom of speech, and the security that speech has against regulation from the government. Tor is a place where a person can securely make any sort of criticism that they want, and that security is important.

An unfortunate (but unavoidable) side effect of that security is that child pornographers also receive the same security.

Not very sure if this is by design/expected, but capturing packets from a freshly booted iPad seems to indicate that the browser leaks DNS queries and HTTP GET requests when visiting YouTube through this browser. I am transmitting outside the tunnel

1) DNS query to YouTube cache server 2) GET request to Google's servers for /videoplayback

This seems isolated to the QuickTime player only. No other DNS queries or traffic appears to be visible. I suggest you warn users that video playback does not go through the tunnel.

Ah crap, hadn’t tested video player too. Will note that, thanks.

Wow I'm a little surprised Apple let this one through! Looks neat!

There’s another one (Covert Browser) that’s been in the store since November that’s got a few issues (lack of cookie support, lack of POST support) that render a lot of websites useless.

Generally I don’t think this is (on the face) any worse than a regular third-party browser app: Other apps (games are a great example) are free to implement custom communication protocols and there are plenty of unsavory / underground / illicit websites on the regular internet. Tor has a lot of legitimate and illegitimate uses, but that can pretty much be said of web-based communication in general.

Just chiming in to say nice work Mike, and that it's nice to see another former Plus-One'r around these parts =)

Anyone else trying to build it? Getting an error from the build-libssh.sh after openssl-1.0.1.tar.gz is downloaded:

tar: Code/iOS-OnionBrowser/build/src: Not found in archive

What OS X and iOS SDK are you running with? You mind filing a bug if you have a GitHub account? https://github.com/mtigas/iOS-OnionBrowser/issues

I might have some dependencies that I’ve neglected to mention (since I use homebrew a ton) and I’m trying to nail down the build scripts to be a bit more portable.

It was spaces in the path to where I was trying to build from. Breaking scripts for decades. It's building now.

Is it compatible with Apple's policies? I thought they don't allow open source apps in the appstore. Or is that only for the GPL license?

It depends who puts it in the store. The author still has all the rights to the software no matter if he puts it under GPL, but puttng it under GPL doesn't give anyone else the right to sell it in the app store.

Edit: Also, the app in question is under MIT and the used libraries under various permissive licences (https://github.com/mtigas/iOS-OnionBrowser/blob/master/LICEN...).

From what I understand, it’s only GPL that doesn’t work since GPL has some hefty restrictions on even binary redistribution (basically you have to open source ALL of the related bits, not just yours — which you can’t do since every iOS app Apple-provided pieces that aren’t available in source).

We submitted the OpenPhoto app which is open sourced on Github under the Apache 2 license. Didn't get any questions.

For people with Android phones, check out Orbot - https://guardianproject.info/apps/orbot/ - It's Tor for Android. It's an incredibly well polished app. If you have root, it will let you individually and transparently torify any app. If you don't have root, individual app will need to support socks proxies in order to go through Tor.

It supports bridges, and it will even let you run a relay and/or hidden service directly from your phone.

I've had this idea for a while now of building an SMS-like app that runs entirely over hidden services for users with Orbot installed. If I send you a message this way, nobody knows that you received one, that I sent one, or what the message contained, and it wouldn't require me to set up any server infrastructure as it would be entirely peer to peer over Tor.

What's the speed like? Tor on my laptop ranges from slow to unusable; I assume the same is true of the iOS app?

What exactly do you consider slow? Most recently I was getting a consistent 500kB/s downstream on my laptop [edit: while grabbing some rather large PDFs, so continuous downloading]. I've yet to give it a go on iOS.

Perhaps it's gotten better lately, but I found browsing with Tor last time I did it to be painfully slow, with some pages taking forever to load. Didn't run a speedtest, though.

In general, your experience with Tor/Onion routing, will be wholly dependent upon the path setup for your requests. I've been using Tor on and off for years, sometimes experiences are good, sometimes they aren't.

If you are looking for a general approach to obscure your browsing from an employer's network, but don't need the whole feature set of Tor, you are better off setting up a proxy to a remote machine. If you truly need the greater anonymizing of Tor and are willing to take possible latency / speed impacts, do so. Just don't expect it to be optimal for the first case when doing general browsing.

It is great to see the Onion Browser available so readily/easily.

The latency can be significant for TOR, as your connection is bounced through various hosts all over the world. This prevents a single country from putting all the pieces together. This is what you notice while browsing.

The raw bandwidth on the other hand is usually pretty good (not great, but it's not intended for large downloads anyway as they tax the network...).

TOR is meant for the cases when anonymity trumps convenience.

Exactly. Having a website load slowly is nothing compared to the insides of an Iranian torture cell. For more and more people, this is not a false dichotomy. Tor's speed is not the result of poor engineering; instead it follows from the properties a high-anonymity, low-latency network necessarily has. As users, before we complain about speed, we need to keep this in mind and consider whether we require such protection.

And I have absolutely no problem with that. I'm worried more about usability than convenience. My 3gs takes 6-7 seconds to load HN on 3g; how long would it take using the Tor browser? For someone on a GSM network? If I'm looking to coordinate protests in some oppressive sandy country, is it going to take me 90 seconds to open Twitter, write a tweet, and post it?

Again, I recognize that this is a fundamental consequence of onion routing and Tor is not intended to be used for everyday browsing. I simply wonder how it will handle a low-bandwidth, high-latency network.

Also, as a minor aside, are the mobile handsets themselves used as routing nodes? If not, what would be the consequence of adding a bunch of users to the system who don't participate in routing?

Somewhat slow here in Aus using Telstra 3G, 45 seconds to connect to TOR network and about 7-12 seconds to return search results form DDG. Good app though and am looking forward to browsing in privacy, thanks.

After having the app in the background for a few hours, I tried to use it to browse again but nothing happening. I had to force close the app and restart it to be able to use it. Is this normal and, if not, is this a known issue that is going to be corrected? Edit: in fact, it seems to do this as soon as my phone times out into auto-sleep :/

This is the biggest glaring bug on the app right now.[1] Doesn’t seem to always affect the app (~30% of the time) when backgrounding to another app or if the phone is manually locked, but more regularly (>75%) happens when the phone idle sleeps.

I’m trying to nail this down, but it’ll likely take me some time to find a real fix.

[1]: https://github.com/mtigas/iOS-OnionBrowser/issues/2

Hey, thanks! I like having this on an "appliance-like" device like the iPad because the app is necessarily self-contained and I don't have to worry about it making system-level changes or unwanted interactions with other software.

Only available in the US, too bad.

Actually: should be available everywhere except France right now. (Selling encryption apps to France apparently requires an "export compliance approval" from the French government, and I haven’t gone through that process yet — primarily because I don't speak French.)

Let me know if that's not the case and I’ll double-check my settings in iTunes Connect.

Well, it seems I should have said "not available in France", sorry for the mix up, I only checked French and US stores.

No need to be sorry — a good reminder that I should mention that somewhere since it’s a strange quirk of legality that affects literally one App Store country. Thanks!

> Selling encryption apps to France apparently requires an "export compliance approval" from the French government

they require a backdoor?

The gist of the law ([0]) is that, unless you only use crypto techniques for authentication and checksumming, you have to document the process and provide the source code to be able to import it.

That's... interesting. I'm French and I had never really heard of that law applied.

[0] http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITE... (in French, obviously)

interesting. so, they basically require it to be open-(to them)-source?

They require the source code to be given to the government, yes, among other things. @mtigas @wilya the process (and forms) is detailed there: http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/con... (in French, obviously) Happy to give a hand if needed.

I think so. I am neither a lawyer nor a cryptographer, though, so I might be missing something.

Check this thread on Apple developer forums, there is a link to translation of French export forms: https://devforums.apple.com/thread/109830

According to the FAQ on iTunes Connect you need French export forms only if the app contains:

  - any encryption algorithm that is yet to be standardized by
  international standard bodies such as IEEE, IETF, ISO, ITU,
  ETSI, 3GPP, TIA, etc. or not otherwise published; or 

  - standard (e.g., AES, DES, 3DES, RSA) encryption algorithm(s)
  instead of or in addition to accessing or using the encryption
  in Apple OS

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact