App Icon

Onion Browser

An open-source, privacy-enhancing web browser for iOS

View project on GitHub

Download in the App Store

Home | Help/Support | Security | by Mike Tigas twitter icon

Security Updates

This page contains a list of security-related updates and fixed vulnerabilities since May 2014. Users should ensure that they are running an up-to-date version, by checking the App Store.

August 7, 2016: Onion Browser 1.6.0

January 7, 2016: Onion Browser 1.5.16

Dec 10, 2015: Onion Browser 1.5.15

Nov 08, 2015: Onion Browser 1.5.14

October 30, 2015: Onion Browser 1.5.13

March 31, 2015: Onion Browser 1.5.12

March 18, 2015: FREAK Exploit Notice

Devices running iOS versions older than 8.2 are vulnerable to the FREAK (Factoring RSA Export Keys) SSL exploit systemwide, including inside Onion Browser, Safari, etc. This exploit can greatly reduce HTTPS connection strength and allow possible decryption of HTTPS traffic. iOS 8.2 contains a fix for the exploit. (Note that browsing traffic in Onion Browser uses WebKit and the system-provided SSL stack.) Users are strongly encouraged to update their device(s) to iOS 8.2.

By default, Onion Browser's Active Content Blocking feature prevents the standard FREAK client test from running, resulting in an orange warning; if you would like to test your own device, you can try these two links (from the last paragraph on the client test page): Test1 Test2 — both should result in a connection error. If either page loads (saying "VULNERABLE!"), then you are vulnerable to this exploit.

March 17, 2015: Onion Browser 1.5.11

November 11, 2014: Onion Browser 1.5.10

Current version: Click here to download or update.

November 10, 2014: Onion Browser 1.5.9

October 8, 2014: Onion Browser 1.5.8

September 18, 2014: Onion Browser 1.5.5

August 14, 2014: Onion Browser 1.5.4

July 02, 2014: Onion Browser 1.5.3

June 16, 2014: Onion Browser 1.5.2

May 21, 2014: Onion Browser 1.5.1

May 14, 2014: Onion Browser 1.5 (Cure53 Security Audit)

A security audit and penetration test of Onion Browser was performed by Cure53, with support from the Open Technology Fund. Onion Browser 1.5.0, released May 14, 2014, fixes all vulnerabilities and issues in the report. (Informative notes, categorized as "info" in the report, are the only ones excluded as they are not actual vulnerabilities.)

The following is a list of vulnerabilities & issues noted in the audit report, with links to relevant code commits that fix them.

Vulnerabilities

Other Identified Issues