Our new officially-supported repository allows users of the F-Droid client to install the browser and receive automatic updates without requiring Google Play.
I have used FF based browsers for a long time and still do. I recently saw this from the GrapheneOS developers, which kinda freaks me out and has me considering switching to a Chromium based browser:
Chromium-based browsers like Vanadium provide the strongest sandbox implementation, leagues ahead of the alternatives. It is much harder to escape from the sandbox and it provides much more than acting as a barrier to compromising the rest of the OS. Site isolation enforces security boundaries around each site using the sandbox by placing each site into an isolated sandbox… Browsers without site isolation are very vulnerable to attacks like Spectre…
Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn’t have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox / Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn’t happening for their Android browser yet.
EDIT: I really hope Ladybird turns out to be amazing.
We should challenge some of those superlatives that projects such as GrapheneOS can coin from time to time. Those projects are not abstract master entities, they have people behind of it and they are not authorities in all subject matters. They are correct about Gecko browsers insecurities on Android however it may be questionable the use of the term “leagues ahead” in this comparative. I use GrapheneOS and Vanadium but I don’t believe that using some Gecko hardened browser would be so terrible like it sound. Specially if you are not a focused target. For example, I keep Tor as a secondary browser for some specific tasks on my phone.
People could perhaps start helping more the Servo project. They really need some help and for those that program in Rust or want to learn it this could be a very good place to devote your attention.
Feel free to freak out. That doesn’t worry me at all. I guess you prefer getting tracked and monetized over having a little weaker security in hypothetical problem areas…
You know, I’ve worked with, and helped people with issues on primarily Windows, but also Mac and Linux, since the 90s, and I can’t remember one single time, where the problem were bases on this kind of vulnerability. So please, do live in a hypothetical world - I’ll stick with what works and keeps me from being monetized.
Same here. I prefer to avoid Chromium-based browsers whenever I can. A lot of them are better than Chrome, and I do like to mess with them from time to time to stay aware of features and test things. But Firefox on my phone has access to uBlock Origin and all my other extensions, after activating the hidden debug menu/dev mode that you turn on in a similar way as activating Dev Mode for the Android OS. I only mention that last part because it seems a lot of FF Android users don’t know about it and allows for installing xpi files just like you can with desktop. Freaking game changing for me. It really sucks that the main-line Chromium-based browsers don’t support extensions, even in the limited options way FF used to before allowing more to officially work (even without the debug menu/dev mode trick.
For those that might want the instructions for the hidden debug menu/dev mode. Some extensions still might not work correctly as they might not play nice with the UI/layout of the Android version. I would imagine that some of these might be things like the third-party tab-tree extensions for example.
Open Firefox App
Go to the settings menu.
Enable Developer Settings:
You need to tap on the Firefox logo five times. This action will unlock an additional debug menu.
Find “Install extension with a file” option in Settings
Look for the option to install an extension from your own storage. And pick the xpi file. Also will just work using the extensions page on the FF site.
I have used FF based browsers for a long time and still do. I recently saw this from the GrapheneOS developers, which kinda freaks me out and has me considering switching to a Chromium based browser:
https://grapheneos.org/usage#web-browsing
EDIT: I really hope Ladybird turns out to be amazing.
We should challenge some of those superlatives that projects such as GrapheneOS can coin from time to time. Those projects are not abstract master entities, they have people behind of it and they are not authorities in all subject matters. They are correct about Gecko browsers insecurities on Android however it may be questionable the use of the term “leagues ahead” in this comparative. I use GrapheneOS and Vanadium but I don’t believe that using some Gecko hardened browser would be so terrible like it sound. Specially if you are not a focused target. For example, I keep Tor as a secondary browser for some specific tasks on my phone.
People could perhaps start helping more the Servo project. They really need some help and for those that program in Rust or want to learn it this could be a very good place to devote your attention.
Feel free to freak out. That doesn’t worry me at all. I guess you prefer getting tracked and monetized over having a little weaker security in hypothetical problem areas…
You know, I’ve worked with, and helped people with issues on primarily Windows, but also Mac and Linux, since the 90s, and I can’t remember one single time, where the problem were bases on this kind of vulnerability. So please, do live in a hypothetical world - I’ll stick with what works and keeps me from being monetized.
Same here. I prefer to avoid Chromium-based browsers whenever I can. A lot of them are better than Chrome, and I do like to mess with them from time to time to stay aware of features and test things. But Firefox on my phone has access to uBlock Origin and all my other extensions, after activating the hidden debug menu/dev mode that you turn on in a similar way as activating Dev Mode for the Android OS. I only mention that last part because it seems a lot of FF Android users don’t know about it and allows for installing xpi files just like you can with desktop. Freaking game changing for me. It really sucks that the main-line Chromium-based browsers don’t support extensions, even in the limited options way FF used to before allowing more to officially work (even without the debug menu/dev mode trick.
For those that might want the instructions for the hidden debug menu/dev mode. Some extensions still might not work correctly as they might not play nice with the UI/layout of the Android version. I would imagine that some of these might be things like the third-party tab-tree extensions for example.
Open Firefox App
Go to the settings menu.
Enable Developer Settings: You need to tap on the Firefox logo five times. This action will unlock an additional debug menu.
Find “Install extension with a file” option in Settings
Look for the option to install an extension from your own storage. And pick the xpi file. Also will just work using the extensions page on the FF site.