Clarification about TOR on mobile


I often see hints at the fact that while it can help “in a pinch”, leveraging TOR on mobile platform breaks the fingerprinting protection that is present on the desktop version.

But I have only ever heard that argument with respect to the Onion Browser on iOS; am I correct in thinking this also applies to the official android client? That is what I would assume!

The reason is because every android device is different, in terms of screensize, resolution devicePixelRatio and other properties which cannot be spoofed or kept secret.

The second reason is Firefox on Android doesn’t use the same renderer Gecko (it uses GeckoView) which I don’t believe supports all of the TorUplift patches.


Can you tell me why?

It’s because every device has physically different characteristics, screen sizes vary. for example depending on phone, and browsers are fullscreen on those devices.

Its not just the screen, the size of the bottom bar for going back/home/menu also is another bit of information that may be unique to you.

1 Like

Ah thanks! I didn’t consider your latter comment as another reason for why TOR on either mobile platform is less effective; so the android client has to follow the ESR of Firefox that uses GeckoView?

I perceive it as kind of bad news — weaker security and privacy — doesn’t that really limit using TOR on mobile clients?

I have a low threat model and don’t even use TOR; it doesn’t affect me, but I find this information to be in conflict with the (seemingly) current consensus that moving towards mobile systems is beneficial from a privacy and security standpoint.

Maybe it is just a nuanced issue!

That generally relates to OS security and sandboxing, this relates directly to the browser directly, so yes nuance. It’s unlikely to make too much of a difference though, other than the website you’re visiting might very well know you’re not a Tor Browser Desktop user but rather a mobile phone with certain properties.

They backport security fixes just the same as they do for regular Tor Browser.
So it is ESR + extra bonus security patches from latest branch that they track.

Tor Browser desktop is true ESR, Tor Browser for Android however is an amalgamation of ESR Gecko (engine) + slightly newer Fenix (UI).

Just because there are fewer anti-fingerprinting benefits on Android, doesn’t negate all the other benefits of Tor.


Ah, that makes things clear! @dngray @SkewedZeppelin. It makes me think that there could be a delineation of which to use depending on the threat model?

The natural questions I have are:

  • If you are a journalist with a high threat model, should you perhaps prioritize the benefits of the robust fingerprinting on desktop Tor?

  • If you just browse onion sites causally, maybe it’s more important to you that you use a system with a stronger sand-boxing?

I read through the Tor page and still had these questions on my mind. Regardless I am satisfied!

Possibly, and there also might be a very likely possibility you’ll be an active target because you have something someone with resources might want, eg sources or contacts.

Keep in mind Firefox on Android doesn’t yet benefit from Fission, more details:

It is not as secure as as a desktop browser.

The sandboxing that was being spoken about in the above post relates to Android applications being sandboxed from each other, and use of SELinux to do that.

Also if I remember correctly it doesn’t support isolatedProcess either.