Privacy Browser

https://www.stoutner.com/privacy-browser/core-privacy-principles/

Haven’t personally used this, it’s come up a few times though

From the website:

Because Privacy Browser is currently based on Android’s WebView, there is a limit to how much information I can choose not to send to the internet. But in the 4.x series I am going to create a rolling fork of WebView called Privacy WebView, and that is when it is going to get serious.

I don’t think WebView-based browsers are very secure. From the GrapheneOS docs:

WebView-based browsers use the hardened Vanadium rendering engine, but they can’t offer as much privacy and control due to being limited to the capabilities supported by the WebView widget. For example, they can’t provide a setting for toggling sensors access because the feature is fairly new and the WebView WebSettings API doesn’t yet include support for it as it does for JavaScript, location, cookies, DOM storage and other older features. For sensors, the Sensors app permission added by GrapheneOS can be toggled off for the browser app as a whole instead. The WebView sandbox also currently runs every instance within the same sandbox and doesn’t support site isolation.

And it’ll probably be even less secure on other versions of Android where the WebView isn’t as hardened as on GrapheneOS.

As for their 4.x roadmap, I’m not fully convinced they’re gonna be able to make something more secure than what Google has done, even if it may be more private. I also don’t think the WebView of the device can be easily changed, which would mean this would suffer from the same security issue as Firefox on Android, of unnecessarily increasing attack surface.

4 Likes

That’s a fair point, and I do use Vanadium, even from a harm reduction point of view it might actually do more harm than something like Brave.

Might ad this was pretty much the reasoning for not mentioning DDG Browser Consider including/mentioning DuckDuckGo's mobile and desktop browsers · privacyguides · Discussion #414 · GitHub

1 Like

I am the developer of Privacy Browser. There is definitely value in discussing the relative merits of Android’s System WebView, but it is also important to have accurate information about the subject, which I find is sometimes lacking in the discussions.

For example:

Privacy Browser’s solution is to completely disable access to all the sensors that require an Android permission. So, there is no way that Privacy Browser can access the microphone, or the camera, or GPS, or NFC, because Privacy Browser intentionally does not include the OS permissions that would make it necessary.

See WebView – Stoutner for instructions for how to easily change the OS WebView provider. Also note that with Privacy WebView that will be released in the 4.x series, Privacy Browser will use Privacy WebView without the need for the user to do anything besides install both APKs, but they may follow the instructions at the above link if they also want other apps on their device to use Privacy WebView.

5 Likes

Maybe I’m missing something but I didn’t see instructions for how to change the WebView in that link, unless you’re referring to the video that shows where the setting is. Also, I’m not sure it should be suggested to change settings in developer options unless absolutely necessary, since many of those options are meant for developers and not average users (hence the name), and may be unstable.

This would then likely fall under the same reason as Firefox on Android, seeing as they also use their own GeckoView.

This is just how Android works AFAIK.

1 Like

That is correct. The video shows how to change the OS WebView implementation. Because changing the WebView used by all apps on a device is something that you should only do if you understand the consequences, it is appropriate that it be under Developer Options. However, the point is that it is very easy to change, which was the answer to the original statement: “I also don’t think the WebView of the device can be easily changed”.

Along these lines, you might be interested in checking out WebView DevTools – Stoutner.

That is correct. In the 3.x series, Privacy Browser will implement all the privacy and security features possible using Androids System WebView. After that, in the 4.x series, I will fork Android System WebView to create Privacy WebView, which will include the implementations of further privacy and security options. Along these lines, you might be interested in GeckoView – Stoutner.

The video never actually showed anything changing, though. All you’ve showed is accessing the setting, in which it doesn’t look like you even can change anything since the Chrome WebView is selected by default, and the Android WebView is disabled.

You also mentioned Bromite and their SystemWebView implementation. Bromite themselves have documented how to install their WebView, and it’s not nearly as simple as installing an APK and switching around settings in developer options.

The WebView is something that’s integrated into the system and not meant to be changeable by the user, which is probably why it’s in developer options in the first place. The only ways to install a new WebView is either via rooting the device, or installing a custom ROM that uses it. All of this has been well-documented by the Bromite team.

Privacy Browser would then likely be rejected for the same reason as Firefox for Android was.

1 Like

Brave wouldn’t benefit much from the hardening done to Vanadium, but they do add their own patches I believe. Also unless Brave supplies their own WebView (which I don’t think they do), they would benefit from some of the hardening done to the Vanadium WebView. This is why Chromium-based browsers are recommended, because they can benefit from the hardening done to the WebView, while also adding more advanced security features.

Android System WebView is build from the Chromium code base. Basically, it is Chromium’s rendering engine without the GUI.

I think that will change in Privacy WebView. In building Privacy Browser PC, which is based on Qt WebEngine, which is also built from Chromium’s source code and is basically a Linux/Window/Mac version of WebView, I am able to create each tab as a separate profile. This means that they are completely distinct. So much so that if you are logged in to a website on one tab and open it in another tab you are not logged in there.

It takes a bit of getting used to browsing the web that way, but the privacy and security advantages are wonderful.

I concede the point. It is easy to change the Android System WebView, but only between those that are authorized by the OS. Adding a new WebView to the authorized list is a more complicated process unless you are into custom ROMs and rooted devices.

However, as pointed out earlier, this will not be necessary for the average end-user of Privacy Browser, which will be able to take advantage of Privacy WebView even if it is not the OS default.

See above point about being rejected from Privacy Guides.

The current version of Qt WebEngine is based on Chromium 87, according to their own documentation. This means they’re likely missing out on quite a few security patches and privacy features that were added later on, considering the latest version of Chromium at the time of writing is 110.

This means that not only have you based your new WebView on something that’s out of date with upstream, you’ve also taken it upon yourself to maintain it, for multiple platforms and architectures, while also maintaining a browser on top of it. If you’re able to do all that, then I have tremendous respect for you, but I do hope you understand my caution, especially considering Bromite was removed from the website for the reason that it lagged just a few versions behind the latest Chromium release.

Until Privacy Browser 4.x is released, and has been tested and proven to provide a substantial privacy and security benefit over the current recommendations, I don’t think it should be considered just yet.

I saw you say that, but I am unaware of why. However, I should note that I am focused simply on what is best for the users of Privacy Browser. If someone can make a reasoned argument of something that I should do that will increase privacy and security then I will be happy to adopt it. Otherwise, I will just consider to focus on what is best for the project and not worry too much if any particular organization rejects Privacy Browser.

2 Likes

Is Privacy WebView based on AOSP WebView (Blink) or Mozilla GeckoView?

The current version of the Qt 5 version of Qt WebEngine is based on Chromium 87 from a feature perspective, but because it is a LTS release security updates are backported to it. Version 5.15.12 contains upstream Chromium fixes from December 2022 and version 5.15.13 is planned to be released this month.

Qt 6 is based on newer version of Chormium, with security patches backported with each dot release.

https://wiki.qt.io/QtWebEngine/ChromiumVersions

Qt 6 is based on Chromium 98. That’s better than 87 but by no means up to date.

It will be based on AOSP WebView. See the previous link to my website discussion GeckoView.

1 Like

Thanks, I just read that, I misunderstood some of the conversation earlier. Reviewing everything now.

Did you miss the part where security fixes are back ported from current Chromium and it is only on Chormium 98 from a feature perspective?