Elouworld

A perfect web browser for Android

Today, on smartphones, the principal usage is browsing the web, mostly on social networks, and messaging via SMS is becoming an archaic way to communicate. At the same time we observe new ways to track people that leads to privacy concerns.

On Android, there is almost only one web browser used: Google Chrome, installed by default on all sold phones. Some try to use Mozilla Firefox, thinking it’s libre, but it’s not completely. Chrome, or its libre (almost libre?) alternative version Chromium, is easy to use, is really focused on smartphone usage. I have two examples of feature that are nice: when you try to click on a particular link surrounded by others, it zooms in to let you choose the right one; also, if a website expects the user to hover a link, it can let you hover it instead of click, unlike Mozilla Firefox and its forks. Yes, some websites aren’t built to be visited on smartphone.

But there is a major drawback, also found on webviews used by other apps: the User-Agent HTTP header leaks the Android version installed, the phone model used and the build number. The privacy focused browsers Brave and Firefox Focus/Klar are also concerned by this. It’s really annoying for me that uses a self built rom of LineageOS: it makes me have a unique fingerprint when I use one of these browsers. Also, it’s not possible to install add-ons although some of these have built-in support for ad blocking and other privacy features.

Mozilla Firefox and two other browsers based on it, built without its non-free components, that you can find on F-Droid: Fennec F-Droid and IceCatMobile (this one seems to be based on ESR but there is no ESR release for Android…) leak only the Android version, which is much less annoying. I don’t understand what’s the point of telling websites what Android version is installed, but let’s continue. Orfox, also based on Mozilla Firefox, used to browse via Tor, does not leak the Android version, but actually isn’t updated with newer Firefox releases, and is unique to do so, meaning that a website can directly know you’re coming from Tor without even knowing about exit nodes, by looking at the browser version as sent in the User-Agent.

And if you build these applications yourself, you’ll end up having a unique navigator.buildID variable available via JavaScript (undefined on Chromium based browsers), even when using private browsing. The same problem exists on computer.

Privacy is far from being the first concern of web browser developers, and it’s a problem.

Appendix:

Latest edition: