How does Tor Android hide screen size?

I tried it and it did get kind of close like you mentioned, wouldn’t an attacker or agency need exact details to be certain though?

@nickm @HackerNCoder
It would be useful if a way of blocking/spoofing this CSS based fingerprinting was available.

Does the same vulnerability exist within the desktop versions?

I think it is possible to get this technique to be more accurate by creating more of those CSS elements with smaller ranges, but I am not entirely sure on that.

CSS directly controls the layout of the page. It is not possible to spoof the screen size without having the page adjust to that spoofed screen size.

The way Tor Browser for desktop handles this is that it makes everyone have the same screen size. If users decide to adjust the window size, it will place bars of empty space on the bottom and sides to make sure your window height and width as seen by websites is always a multiple of a certain value, reducing the amount of possible variations. This is called letterboxing. This would be possible on mobile, but I think it wouldn’t leave much space left on the already small display.

Perhaps forcing websites to render in desktop mode, which is already an option, will always spoof the height and width to the same desktop-like values regardless of your mobile device’s screen size. I fear that this will make a lot of websites incredibly difficult or tedious to use though.

1 Like

Thank you for your informative response.

I personally always use the app in desktop mode because things look better (in my opinion) and you get a user agent which is not specific to any platform or OS as far as I know but in regular mobile version it marks you as being on Android, and specifically Android 10 for some reason. That’s good as it doesn’t leak the real OS version but it does single you out as being on Android device.

Do you happen to know if this fingerprinting method and it’s fine tuning is still usable when viewing pages in desktop view mode?

Pages always automatically load for desktop size and I have to do the dragging expand thing (hope my tech jargon doesn’t baffle anyone :sweat_smile: ) to read things but I see it as a minor inconvenience which I’m happy to put up with for the OS version obscurification it provides. I always disable automatic font sizing too so they can’t measure how much screen is filled by letters.

If adding letterboxing would provide better security and only require a second of adjustment to fit then personally I think it would be a smart move, although I’m happy to be told I’m wrong and why.

Thanks again!

No problem!

I am trying some sites in desktop mode, some of which presumably use JavaScript and the one that uses CSS, and I am getting different results for what they think my screen dimensions are, so I honestly have no clue. Let’s say that the screen width is successfully spoofed by this technique though. In that case I wonder what happens to the screen height, since even in desktop mode you still have a varying height, depending on the physical height of your device’s display, I just realized.

It does seem to give confusing results. I’ve had a few more tries with it and noticed that the fingerprint ID stays exactly the same even after restarting Tor several times. Does that mean it’s impossible to change the fingerprint ID? I was under the assumption that it would give a different ID for each use. It seems like you can hide yourself but not the device, surely meaning that agencies can just follow your unique ID throughout the entire network regardless of hops?

Sometimes I find out things about Tor which make me feel confident in its protection and abilities, and other times I read things that make me concerned. Similar to when it was found that hidden services could see what apps you had installed for ages.

Hopefully one day Tor Android will be an exact match to desktop for features and protection.

Where it gets extra extra confusing is when you scroll to the bottom of noscriptfingerprint.com and click on Read an article which gives you detailed information about how the attack is done. It doesn’t go much into how to avoid these fingerprinting methods until you reach the very bottom were it states Conclusion. The writers conclusion is that turning off JavaScript alone isn’t enough and if you want to ‘guarantee anonymity’ then you should use Tor browser as apparently every user has the EXACT same fingerprint? I know that definitely isn’t true, the ID signature it gave me on my phone would not be the same ID signature I would get from something like a laptop running some version on Linux or Windows. He makes it sound like every single device shares 1 unique ID

Instead of randomizing fingerprints, Tor Browser tries to give everyone the same fingerprint. This way an adversary following a certain fingerprint, as you describe it, would not be following just one user, but instead every Tor Browser user, making it very hard to single out any specific user based on just their fingerprint. Tor Browser for desktop does this well, but Tor Browser for Android is lacking here. That’s why I’ve always recommended people use the desktop version if they want better anonymity. This does not mean that Tor Browser for Android is not an improvement over ordinary mobile browsers.

The writer is not wrong, it is Tor Browser’s idea to make every user look the same, and it is pretty successful, on desktop.

If you want, we can do a little experiment where we use Tor Browser for desktop with the Security Level set to Safer, without changing the window size from its default, and check out what our CSS fingerprint is, and compare. They should be the same. For me the first five characters of the ID are b15ac. Does yours match mine?
If they match, then Tor Browser was successful: an adversary tracking this fingerprint and not using any other methods cannot distinguish between you and me, and likely anyone else also using Tor Browser in this configuration.

It is not possible to make Tor Browser for Android’s fingerprint the same as Tor Browser for desktop. The browsers are very different in for example screen size. And while Tor Browser for Android itself might be able to improve to make it less distinguishable from other Tor Browser for Android clients, it will never be indistinguishable from Tor Browser for desktop.

I think a good thing to remember is that nothing is 100% secure, and no software is perfect. Security is often about whether something is good enough. If you feel like Tor Browser for Android is not good enough for you use case, then you could consider the desktop version. If you think the desktop version also does not provide enough anonymity, well, you might have to take some extra steps to be even more anonymous.

4 Likes

I will give this a try shortly and let you know the results.

Do all Android Tor users share the same ID in that case? If so it would be good but if not then every user has a unique code which can’t be changed or hidden.

I guess that code alone wouldn’t be enough to find someone but it would be a way of tracking them and if a real IP leak happens they could then associate them with activity.

Is there any way to tell if sites are using these CSS by checking the page source?

To my knowledge, Tor Browser for Android makes no attempt to hide the screen resolution, so users with different phone models would probably have a different fingerprint.

Yes, you could find out which CSS rules are being used, even web extensions could do that, but you would have no way of knowing what they are used for. This isn’t a problem on Tor Browser for desktop of course, because of the default window size and letterboxing. So even if some CSS is used maliciously, it doesn’t matter since everyone looks the same. On Android this is a different story. I’m not a developer at the Tor Project (unfortunately) but I’m just not sure what the best way of improvement for Tor Browser for Android would be. Restricting screen size is a lot more convenient on desktop, where you have a lot more space to work with, whereas mobile apps have the model that one app fills the entire display. Maybe we just have to accept that Tor Browser for Android can never be as good as Tor Browser for desktop in terms of fingerprinting resistance because of these restrictions.

1 Like

That is a big shame.

Personally I think Tor should make mobile users aware that the app doesn’t offer the same level of protection, it’s not something I knew before starting this thread. The Tor Android page gives off the impression that Tor has now reached Android in its full form, there is no mention of differing abilities and certainly no mention of CSS based weaknesses. Some visual things are different like the ability to see the connection path but obviously that wouldn’t change protection so it’s just accepted.

If someone posted the entire fingerprint code would it be possible to work out who they and where they are at an individual level like you could with a real IP or would it only give suggestions as to what device make and model they have?

Thank you for the replies

If you were to post the ID of your fingerprint, no one would know your device’s specifications. The ID is the hash value of the properties of your browser. Hashes are one-way functions and therefor irreversible. The only way someone could know is if they got the same hash as you, or calculated the hash for every possible variation. But, I gave the fingerprint ID that I got on Tor Browser for desktop, which is pretty good at anti-fingerprinting, and I’m pretty confident that anyone who uses it in the described configuration will have the same fingerprint. It is not possible to derive your location from it or anything, in this case.

1 Like

I am glad to hear it. Perhaps the most fingerprint resistance would come from Brave once they implement Tor into the Android version. It would massively stand out but the information would be false and changing for every site so nobody would ever have the true ID to follow and one ID can only be followed per site, it dies when they go to a new site.

1 Like

I just tried Brave for desktop, and this website: Technical Demo - Fingerprint Pro is able to consistently identify Brave for Linux in a ‘private window with Tor’, even after restarting it. This fingerprint is the same as the one I get in a normal, non-private, non-Tor window in Brave. This is concerning; it shows that it is possible for a normal brave session to be directly linked to a private Brave with Tor session.

So while they have mitigated an audio fingerprinting technique and a canvas fingerprinting technique (both of which Tor Browser already offers protection against, from my testing), it is still very easy to fingerprint it. In fact, this website I used has, according to the Brave blog you linked, adapted its fingerprinting to get around Brave’s new anti-fingerprinting features. Note that this website still doesn’t work properly with Tor Browser. I asked their support chat on their website, they said that they are looking into Tor, but it is currently “not supported”.

Edit: it seems normal Firefox with privacy.resistFingerprinting set to true is also able to break this fingerprinting in a private window.

2 Likes

Well, that plan was certainly short lived :weary: :sweat_smile:

I think I saw a post somewhere on Reddit about that a while back, you would think they ensure users don’t get matching Tor fingerprint ID as non Tor fingerprint ID but I guess they haven’t gotten that much tuning on it. I suppose to ensure Tor IDs don’t get matched with ‘clear’ IDs there would also have to be a way of historically logging which devices have or haven’t received certain codes.

Since Tor is so good with hiding IP I’m guessing that fingerprinting is the main method used to try singling people out?

Thanks again for your trials and tests

Here are a few more advanced fingerprinting test sites:

Regarding fingerprintjs, they also somehow use the IP while fingerprinting. For example when you test Brave browser on desktop in strict mode, just restarting browser will give you the same fingerprint, but restarting+IP change will give a different one.

1 Like

From my testing, even the most aggressive anti-fingerprinting setting in Brave, plus an IP address change (using their ‘private window with Tor’) still gets me the same fingerprint ID. I installed it just yesterday though, so I’m not too familiar with Brave and its settings.

1 Like

CreepJS is interesting. It has a consistent fingerprint on Tor desktop for Linux in Safer mode, 483f464b, but I have no way of testing if it will have a different fingerprint on other Tor desktop browsers on Linux. If anyone feels like trying it out, that could be an interesting experiment, but perhaps that strafes away too far from the original topic of this thread

1 Like

It certainly is an interesting yet slightly frightening discussion, I was hoping to mainly get an understanding of the Android variant but anything that goes towards strengthening Tor is welcome, I just ask that developers overseeing this thread take into consideration how things could be changed or improved for Tor as a whole, as in all variants across all platforms. I don’t think I’m wrong in saying that development of desktop has taken priority over mobile. It may perhaps be more difficult to implement the changes in Android but Tor have faced countless difficulties and continued on, hopefully it’s the same here.

I would like to ask how viewable our IDs are and who precisely can see them, if you connect to a .onion site you pass through six hops but does this mean all 6 see the ID or just the entry node?

A lot of people (myself included) will only run Tor in Safest mode meaning JavaScript is fully blocked off, in safer mode I think some of these test sites are getting identifier information through the allowed JavaScript. It would be a big advantage (and reassurance) to many if testing was to be done in Safer and then again after closing and reopening in Safest mode. I went back to poke at the Brave test sites in Tor on Safest and it wouldn’t even display anything because the whole interface relied upon JavaScript. I don’t know if that mean they get nothing or they do get it but just can’t show it.

The ultimate test would be trying all this on an .onion site designed for such things, we know what we see but none of us have any idea what the owner is getting.

Since you need probes and specific codes to get this information a genuine privacy respecting onion owner would never be attempting to get this information in the first place. Problem is we don’t know if they’re genuine and even if they are the onion could get hijacked or stolen by nefarious actors.

A minefield it is.

I assume, that your test has been before the Tor browser 11 update? You can also look at the signature. If there is a signature you didn’t set, then someone else shares the same ID as you. If there is no signature present, you can insert one, so others can realize that too. Or you visit CreepJS every few days and look whether your ID has changed (so different fingerprint on revisit) or the visits counter increased more than one (others share the same fingerprint).

Tor Browser 11 has not yet reached Android for unknown and unexplained reasons