Onion Browser

Home | Help/Support | by Mike Tigas

Enhance your web privacy

Onion Browser is a minimal web browser that encrypts and tunnels web traffic through the Tor onion router network and provides other tools to help browse the internet while maintaining privacy. See more features & benefits.

• April 23, 2014, Current Version. Onion Browser 1.4.1 updates OpenSSL to fix the "heartbleed" vulnerability, as noted below. Additionally, Onion Browser now uses iOS' built-in data encryption to protect user settings and bookmarks when the app is not in use, provided the device has passcode enabled. (developer info, user info) More details on this update can be found in the CHANGES file and the README file in GitHub. Users are strongly urged to update via App Store as soon as possible.

• A note on Heartbleed. The Heartbleed bug (info site, Wikipedia) is a weakness in recent versions of OpenSSL, which may leak information that should have been encrypted by SSL transport encryption. All versions of Onion Browser (since 2012) use affected versions of OpenSSL.
  
  However, browser traffic to websites within Onion Browser are not vulnerable, because the WebKit browser component uses the native iOS SSL stack instead of OpenSSL. (Note that visiting a non-HTTPS site or visiting a Heartbleed-vulnerable website is insecure regardless of which browser you are using — and any leaks in this case may not be detected.)
  
  Onion Browser's Tor client may leak internal Tor data, including information on Tor nodes you have connected to and a list websites you have tried to access. But this vulnerability is limited because in this situation, the attacker must be a Tor entry guard or bridge that you are connected to. More information on this can be found at the Tor Project's post about the vulnerability. (Onion Browser is a "Client" in their component list.)
  
  Users should update via the App Store as soon as possible.

• Recommended by Tactical Technology Collective and ProPublica’s Guide to Safer Communication.
• Featured as App of the Week on Salon.
• Featured in The New York Times, TechCrunch, Boing Boing, Gizmodo, Lifehacker, The Guardian, Cult of Mac, and others.
• Ranked as high as the #1 Paid iPhone Utility app and the #2 Paid iPad Utility app in the U.S. App Store.
• Read the launch day introductory blog post

Simulated screenshots:
iPhone 4/4S, iPhone 5/5C/5S, iPad 3; on iOS 5.1 and iOS 7.0.
Onion Browser supports most devices using iOS 5.1 or newer.

Download

This app (the "official fork") is being sold for $0.99 in the Apple App Store. Click here to download.

Note: The app is currently unavailable in France due to import regulations on encryption software. The app is unavailable and does not work in China and Iran due to these nations blocking access to the Tor network.[‡]

‡: The obfsproxy transport tool allows Tor to bypass these methods, but cannot be integrated into Onion Browser due to the limited iOS App "single process" architecture.

Copies of Onion Browser downloaded outside the App Store — via "jailbreak" app directories like Cydia — are built and released by third parties and are not supported by the developer. These copies may have modifications added by the packager, which may interfere with your privacy or security. For the best security in non-App Store circumstances, you should build your own copy of the app.

Support The Project

You can support development of Onion Browser via Bitcoin donation, by sending to the address 1JhxtgMbDajtiakRbNNkwy2RsubsWgmSSp.

You should also consider donating to the upstream Tor Project or the Electronic Frontier Foundation. The developer privately donates to these organizations and encourages users of privacy apps such as Onion Browser to donate as well, to support development of Tor and to further the cause of online privacy rights. Both organizations are registered 501(c)(3) charities in the United States, with publicly-available financial reports:

• Donate to Tor Project — Public records: GuideStar, Nonprofit Explorer
• Donate to EFF — Public records: GuideStar, Charity Navigator, Nonprofit Explorer

Source Code

The project is open source and you may freely access the source code on GitHub.

• mtigas/iOS-OnionBrowser on GitHub
• Download source tarball

Features & Benefits

• Internet access is tunneled through the Tor network: traffic is sent through an encrypted tunnel and over several "onion router" machines before reaching the destination[1][2]
  • Websites do not see your actual IP address.
  • Web browsing activities are protected from eavesdropping by ISPs or other users of your wireless or wired network
  • Freely access the entire internet from behind restrictive firewalls.
  • Access to the "dark net" of hidden services (".onion" web sites) not accessible via the regular internet
• Ability to spoof HTTP User-Agent header.
• Ability to block active content (scripts, web fonts, XHR/WebSockets, embedded audio/video).
• Ability to change cookie storage policy (Allow All / Block Third Party / Block All)
• “New Identity” button clears cookies, history, and cache and requests a new IP address in one quick step.
• Can optionally use the "Do Not Track" HTTP header (DNT: 1).

Technical folks should view the README file in the GitHub repository for implementation details and other technical notes.

Bugs, Caveats, Side Notes

See the Github project for a current list of known issues.

Using Onion Browser does not inherently guarantee security or privacy. It simply provides a set of features that may enhance privacy and anonymity while browsing the web. For more information: The Tor Project maintains a small section about staying anonymous over Tor, as do several threads on Reddit and other messageboard sites.

• Disclaimer: Onion Browser only tunnels traffic within the Onion Browser app. You are still using a smartphone, and in extremely sensitive circumstances you should be aware that iOS or your cellular provider may continue to leak non-Onion Browser traffic and other information.
• Video note: Websites using HTML5 <video> tags may leak <video>-related DNS queries and data transfer outside of Tor. This includes YouTube, Vimeo, and any website using iOS-compatible HTML5 video. This is due to behavior of the embedded QuickTime player and there is currently no known workaround. (Version 1.3.14 and newer contain an experimental "Block Active Content" setting which attempts to block embedded HTML5 Audio and Video. However, the ability for this feature to block direct navigation to audio/video files has not yet been determined.)
• JavaScript blocking: JavaScript blocking is an experimental feature. While JavaScript is not blocked, script-based detection may identify your device even if User-Agent Spoofing is enabled.
• Geolocation blocking: The HTML5 Geolocation API cannot be disabled. JavaScript blocking may prevent Geolocation code from executing, however. Users should remain vigilant for any pop-ups asking for permission to access location data.
• Common Sense: If you log into websites in Onion Browser that you normally log into outside of the Tor network, they will a) still know who you are, and b) know that you use Tor. In certain circumstances (i.e. political dissent in repressive nations), this may be incriminating information in itself.

Disclaimers, notices, etc.

"Onion Browser" is a trademark of Mike Tigas. Forks of this project must not use the "Onion Browser" name when distributing binary forms of this application.

The "Onion Browser" icon is a trademark of Mike Tigas. Icon image under the Creative Commons CC-BY-SA 3.0 license. Forks of this project should not use the "Onion Browser" icon when distributing binary forms of this application.

Mike Tigas and OnionBrowser are not affiliated with nor endorsed by the Tor Project. Onion Browser carries no guarantee from The Tor Project about quality, suitability or anything else. ("Tor" is a registered trademark of The Tor Project, Inc.)

Onion Browser is © 2012 Mike Tigas, all rights reserved. Source code available freely under the MIT License.

See the LICENSE file for more information.

This software uses strong cryptography and may it fall under certain export/import and/or use restrictions in some other parts of the world. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org for more information.

If you are a developer and plan on redistributing this app in source or binary form, please see read “ENCRYPTION NOTICE / APP DISTRIBUTION NOTES” in the LICENSE file for more detailed disclaimers.