[tbb-bugs] #26528 [Applications/Tor Browser]: App stores should not be allowed to use UpdateService

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 27 17:50:40 UTC 2018

#26528: App stores should not be allowed to use UpdateService
 Reporter:  igt0                      |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:  #26242                    |         Points:
 Reviewer:                            |        Sponsor:

Comment (by igt0):

 Replying to [comment:2 sysrqb]:
 > Nice. We'll want a different name than `INSTALLER_ORFOX`, and I think
 we'll need our own f-droid repository, too. The Guardian Project run their
 own repo, but I don't remember the specific reasons why the main f-droid
 repo won't accept their apps.


 > I thought about disabling using a different method by excluding the
 updater at compile-time. Unfortunately, this results in different APKs
 [0]. It's conditionally included using an environment variable.
 > {{{
 > if [ -z "${TB_BUILD_WITH_UPDATER}" ]; then
 > # Because Google Play will likely be the primary distribution medium,
 > # we disable updating and rely on Google Play by default. The
 > # Developer Policy explicitly prohibits in-app updating:
 > #    An app distributed via Google Play may not modify, replace, or
 > #    update itself using any method other than Google Plays update
 > #    mechanism.
 > # https://play.google.com/about/privacy-security-deception/malicious-
 >     ac_add_options --disable-tor-browser-update
 >     ac_add_options --disable-signmar
 >     ac_add_options --disable-verify-mar
 > fi
 > }}}
 > [0] https://gitweb.torproject.org/user/sysrqb/tor-browser.git/tree

 Yeah, Mozilla has the same challenge[0].

 [0] https://bugzilla.mozilla.org/show_bug.cgi?id=690820

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26528#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list