Hello. I am a Firefox user, and everyone I know tells me that using Firefox on Android is not secure. What are they basing this claim on? I have tried using Chrome, but I always go back to Firefox because it is the only open-source browser that allows me to pin favourites to the home page and because the display of websites adapts very well to the chosen size. Which FOSS browser derived from Chromium allows you to choose your favourite websites on the home page?
Content Isolation
Firefox lacks support for a fork server that can deduplicate memory when using different sandboxing mechanisms, not controlled by firefox.
On Android, the Zygote is the process spawning subprocesses, and it is used for app sandboxing and browser sandboxing. It deals with deduplicating memory so apps can share the same resources even though they are isolated.
On Linux with Flatpak you have a similar scenario, while the Flatpak sandbox is way less low level compared to the Android sandbox (Android uses SELinux and unix users, Flatpak uses user namespaces).
Firefox now started to work on it. If you use Ironfox, there is a setting where you can enable content isolation and zygote usage, and so far it “just works” for me! So it seems they are working on a fork server.
There was an announcement, and there are bugzilla issues on this matter.
So yes, currently on Android a Chromium based Browser (that actually uses the whole capabilities of Chromium on Android, which some browsers that just use the Webview may not) is still more secure, as it neatly integrates with the zygote and UUID sandbox native to Android.
But Firefox is closing in. I daily drive Ironfox and recommend donating to the project.
Content Filtering
Keep in mind that Firefox has UBlock Origin and thus access to very powerful content filtering.
While blocklist-based filtering is natively integrated in Brave, Cromite and Vanadium too, this is generally a bad approach as it follows “badness enumeration”. It lists all the bad things and the moment a new thing appears, you are 🦆ed.
But it does not require any user tweaking and can thus be implemented easily without the need to actually offer user control (apart from an on/off switch maybe).
UBlockOrigin allows to use the “expert mode” where you can disable everything by default. Then you allow content per domain, for this site only or globally. It lacks the “content type header” filtering of NoScript (like Images, CSS, Javascript), but both together are very slow, and uMatrix (which combined them) is dead with no actively maintained forks (sadly).
It looks like this:
This allows to easily prevent malicious code from running at all. If you dont make mistakes, this could eliminate the need for any sandbox (but as you have to allow all sorts of shit or the horrendous modern web doesnt work, you need one anyways).
Thank you for such a detailed reply. Is Ironfox similar to Fennec in terms of security and privacy?
Fennec is slightly behind Firefox versions, Ironfox is also downstream so a bit behind but not as much.
Ironfox has a ton of security and privacy hardening, as well as interface changes so users can do a lot of things themselves. Fennec just has a few incomplete telemitry changes.
I do not recommend Fennec at all, unless people are too “technologically challenged” to tweak a few things, as some hardening like blocking JIT breaks a few websites
Chromium based browsers are more secure. Here is a detailed breakdown https://madaidans-insecurities.github.io/firefox-chromium.html#sandboxing
The article lists “less granular process model, weaker sandboxing and lack of modern exploit mitigations” as the security drawbacks of firefox
They used to not have sandboxing for each tab. The app was sandboxed but all tabs had access to one another but that was fixed few years ago. Not sure about others
“Everyone I know tells me” - based on what? Did they show you anything to prove it? What is “Secure” to them? If you mean sharing your data, it’s better than Chrome. If you mean that the HTTPS encryption is weaker or that it might explode in your pocket and you’re in danger, then they’re wrong.
Chrome collects your data. It gives it back to Google. Your data is not secure with Chrome.
If you insist on a Chrome based Android browser, “Vanadium” is your only real choice. However, Firefox and more importantly, Firefox forks like Fennec or IronFox are far more secure and private.
I agree with what you’ve written, which is why I was wondering why people around me tell me that Firefox isn’t a secure browser for Android when I mention that I use it. It’s the only FOSS browser that allows me to pin my favourite websites to the home screen, and it’s the only browser that allows me to install extensions… I’m going to try Fennec to see how it works on Android. Thank you very much.
deleted by creator
This is a whole lotta points, none of them are very important in this scenario
