[tbb-dev] So, about the Linux sandbox in the long term?

Yawning Angel yawning at schwanenlied.me
Wed May 31 13:44:13 UTC 2017

On Tue, 30 May 2017 20:22:09 +0200
Hans-Christoph Steiner <hans at guardianproject.info> wrote:
> Android is a very different OS than all the desktops.  GNU/Linux, OSX
> and Windows are much more similar to each other than to Android.
> Android is also the most popular computing platform in the world, so
> its worth investing it.  More users and more page views than Windows.
> Given the desire for stronger sandboxing, it could make sense to keep
> tor in something like Orbot, which is installed separately.  That
> means its isolated from the browser part with all the Android
> tricks.  Things like CopperheadOS make that sandboxing even stronger.
> As for Android apps updating their own code, it is possible, and it is
> occasionally done.  It is considered a bad practice, and Google has
> been gradually locking that down over time.  Android already provides
> a solid install procedure, at best, I think it would be a waste of
> time to build a custom in-app updater to replace that.  For example,
> that will break nice security properties like the code being
> installed read-only even to the app itself.

The general gist I'm getting from this is:

  Continue to treat Android like the red headed stepchild that it is,
  because a tor-launcher deprecation/rewrite doesn't affect the one
  platform that doesn't really even use tor-launcher in the first

  nb: If there is special code required for Fenec to interact with
  Orbot, I don't see why that requires it's own launcher process.

There's also no reason why, "Vidalla++" (or whatever it ends up getting
called, if it happens) can't support Android, however:

 * Downloading/installing/updating the browser - Handled by whatever
   app store people use (and if people are sideloading apks, it's
   handled by the person).

 * Configuring/Launching Tor - Handled by Orbot.

 * Sandboxing - Handled by the OS.  There's probably more that could be
   done here, but I will profess ignorance to how much kernel support
   is available in deployed Android installations for any of the
   mechanisms (And I assume that things like AppArmor that require
   root fall into the realm of "Not useful in a general case").

So I'm not seeing much of a point here.


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170531/9a6065db/attachment.sig>

More information about the tbb-dev mailing list