[tbb-bugs] #26613 [Applications/Tor Browser]: audit or disable Apple HLS implementation on Android

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 5 12:30:49 UTC 2018


#26613: audit or disable Apple HLS implementation on Android
-------------------------------------------------+-------------------------
 Reporter:  mcs                                  |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, ff60-esr,                |  Actual Points:
  TorBrowserTeam201807                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by igt0):

 When looking the code I looked for:

 * proxy bypasses: the browser implementation uses just the http
 implementation and it has a proxy bypass, this one is fixed, we just need
 to backport to FF60.

 * disk avoidance: I wanted to make sure if the player stores any data in
 the disk and it does, however, it stores the data in the app internal
 cache using the android context.getCacheDir method. The internal cache can
 not be accessed by other apps and it has a short life span.

 * fingerprinting: I looked for locale and screen size leaks, and the HLS
 implementation doesn't leak them. All the text and video selections happen
 in the app side. The browser doesn't send any data to the server.

 So I would say **yes** we can enable it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26613#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list