Onion Browser

Home | Help/Support | Security | by Mike Tigas

Security Updates

This page contains a list of security-related updates and fixed vulnerabilities since May 2014. Users should ensure that they are running an up-to-date version, by checking the App Store.

• Known Bug: Research into Onion Browser suggests that some browser data may be retained, depending on how an app is closed or if the app crashed. Users are encouraged to press the "New Identity" button before closing the app, as this will ensure that all session data in Onion Browser is wiped from the device.

August 7, 2016: Onion Browser 1.6.0

• First version with iObfs library, providing support for obfs4 and meek bridges.
• Tor updated to 0.2.8.6.
• OpenSSL updated to 1.0.2h.
• iOS 8.2 or newer required. Support for iOS 8.1 and earlier has been dropped due to FREAK exploit in older iOS versions; see March 18 2015 note, below.

January 7, 2016: Onion Browser 1.5.16

• Tor updated to 0.2.7.6.

Dec 10, 2015: Onion Browser 1.5.15

• Tor updated to 0.2.7.5.
• OpenSSL updated to 1.0.2e.

Nov 08, 2015: Onion Browser 1.5.14

• Tor updated to 0.2.7.4-rc. (f050533acb)

October 30, 2015: Onion Browser 1.5.13

• Warn users on iOS versions vulnerable to FREAK exploit (see March 18 2015 note, below). Support for iOS <8.2 will be dropped in an upcoming version.
• Tor updated to 0.2.6.10. (8a26da0041)
• OpenSSL updated to 1.0.2d. (8a26da0041)

March 31, 2015: Onion Browser 1.5.12

• On first run, a user can now configure bridges before Tor begins connecting. Prevents a user from revealing non-bridged Tor connections.
• Tor updated to 0.2.6.5-rc. (21b1c9306d)
• OpenSSL updated to 1.0.2a. (be27b3e0f7)

March 18, 2015: FREAK Exploit Notice

Devices running iOS versions older than 8.2 are vulnerable to the FREAK (Factoring RSA Export Keys) SSL exploit systemwide, including inside Onion Browser, Safari, etc. This exploit can greatly reduce HTTPS connection strength and allow possible decryption of HTTPS traffic. iOS 8.2 contains a fix for the exploit. (Note that browsing traffic in Onion Browser uses WebKit and the system-provided SSL stack.) Users are strongly encouraged to update their device(s) to iOS 8.2.

By default, Onion Browser's Active Content Blocking feature prevents the standard FREAK client test from running, resulting in an orange warning; if you would like to test your own device, you can try these two links (from the last paragraph on the client test page): Test1 Test2 — both should result in a connection error. If either page loads (saying "VULNERABLE!"), then you are vulnerable to this exploit.

March 17, 2015: Onion Browser 1.5.11

• Tor updated to 0.2.6.4-rc. (d537a218a6)
• libevent updated to 2.0.22. (d537a218a6)
• OpenSSL updated to 1.0.2. (d537a218a6)

November 11, 2014: Onion Browser 1.5.10

Current version: Click here to download or update.

• Prevent crash on startup (requiring uninstall/reinstall) if invalid bridges were configured. (a3df91ef9b)
• Add TLS "padlock" icon to show if a connection is entirely over TLS or if it contains insecure content. (5bb3104051)

November 10, 2014: Onion Browser 1.5.9

• Disable SSLv3 by default, forcing connections to use TLSv1.0 or higher. Add option to change this to allow SSLv3 or force TLS1.2-only. (ea6c19ba75 4e9869698b)
• Fixed crash when allowing Onion Browser to load a website with invalid SSL certificate; mostly affects users loading HTTPS sites over hidden services, or website with self-signed certificates. (ea40fb5471)
• Tor updated to 0.2.5.10. (a6c01946e4 a53d0d1439)
• OpenSSL updated to 1.0.1j. (a6c01946e4)

October 8, 2014: Onion Browser 1.5.8

• (Version 1.5.6 and 1.5.7 skipped due to various iTunes Connect issues.)
• User-agent spoofing strings updated to the latest iOS 8 Safari and Mac OS X Mavericks Safari (7.1). (0da03a908e)
• Tor updated to 0.2.5.8-rc. (674c36b8f9 51841da174 &c.)

September 18, 2014: Onion Browser 1.5.5

• (No security content. This version is identical to 1.5.4, but recompiled with the iOS 8 SDK for improved compatibility with iOS 8, the iPhone 6, and the iPhone 6 Plus.)

August 14, 2014: Onion Browser 1.5.4

• Tor updated to 0.2.4.23, which allows future tweaks to the number of entry guards used, as a mitigation against the RELAY_EARLY traffic confirmation attack. (7219e02534)
• OpenSSL updated to 1.0.1i, fixing some app crash vulnerabilities. (7219e02534)

July 02, 2014: Onion Browser 1.5.3

• Active Content Blocking's default mode ("Block Ajax/Media/WebSockets") did not correctly block <audio> and <video> tags, which could result in an IP address leak. This causes the issue noted in the Dominik Bok (xordern.net) "IP disclosure" report. Note that the "Allow All (DANGEROUS)" mode is still considered unsafe and will not protect against this attack. (9fe1cc469e)
• Due to a bug in error handling, a malicious webpage could spoof the address bar location by causing a navigation error at the right time — posing a severe phishing risk. Reported by Łukasz Pilorz; testcase here. (c64bd8a7bd)

June 16, 2014: Onion Browser 1.5.2

• Active Content Blocking now attempts to block "Worker()" (web worker) calls. Scripts executed from web workers could bypass the blocking of web sockets, local storage, session storage, and other Active Content Blocking measures. (1dfcaaef5c)
• OpenSSL updated to 1.0.1h to patch the "Early CCS" vulnerability. (8ab734e873)

May 21, 2014: Onion Browser 1.5.1

• User Agent Spoofing was overhauled, and now defaults to using a "normalized" iPhone or iPad User Agent, depending on the user's device. This means that all Onion Browser users will automatically send the same user agent as the average iOS 7.1.1 Safari user, instead of revealing the user's actual device or iOS version.
• User Agent Spoofing now attempts to spoof even within the "navigator.userAgent" javascript variable. (5bb195ed0a)
• Active Content Blocking now attempts to block "WebSocket()", "localStorage", "sessionStorage" and JavaScript calls in addition to using a Content-Security-Policy header (which, in theory, blocks these features in WebKit). (5bb195ed0a)
• Tor updated to 0.2.4.22

May 14, 2014: Onion Browser 1.5 (Cure53 Security Audit)

A security audit and penetration test of Onion Browser was performed by Cure53, with support from the Open Technology Fund. Onion Browser 1.5.0, released May 14, 2014, fixes all vulnerabilities and issues in the report. (Informative notes, categorized as "info" in the report, are the only ones excluded as they are not actual vulnerabilities.)

• The Cure53 audit report can be read here: onion-browser-cure53-security-audit-201404.pdf (PGP sig) or at Cure53's website.
• Technical details can also be found in the changelog on GitHub.

The following is a list of vulnerabilities & issues noted in the audit report, with links to relevant code commits that fix them.

Vulnerabilities

• OB-01-005 (High Priority): The "Third Party Cookie" blocking option was not working properly. Fixed in v1.5.0 (e70e2fcbca).
• OB-01-006 (Critical Priority): A specially-crafted website using "itms:" links could expose the user's IP address to the attacker's website due to a race condition involving connections being sent as Tor is closing down (due to switching to another app). Fixed in v1.5.0 (89121d3271).
• OB-01-009 (Critical): Invalid SSL certificates were being ignored for all .onion websites; in theory, this could open the door for imposter or man-in-the-middle attacks. Fixed in v1.5.0 (271b2b22df).
• OB-01-010 (Critical): Active Content Blocking has been overhauled to proactively block WebSockets, which leak connections outside of Tor. The default option now blocks all Ajax/XHR/WebSocket requests. (Previous options for "Allow All" and "Block All" are still available.) v1.5.0 (983687ed67).
• OB-01-013 (High): Fixed poor use of "onionbrowser:" URLs which could allow an attacker to close the app without user consent. (i.e. <img src="onionbrowser:forcequit"> would successfully quit the browser if the user visits a page with the tag on it.) Fixed in v1.5.0 (c5cfb15a99).
• OB-01-014 (High): Browser cache, HTML5 local storage, and HTML5 databases are now blocked. These features create a situation where a website could bypass cookie protections, as demoed on http://samy.pl/evercookie/. Fixed in v1.5.0 (4d3ef413bd).
• OB-01-016 (Critical): "data:" URIs are now prevented from being loaded in the address bar. (Their use in embedded content is still available.) Fixes situation where a "data:text/html" page would bypass Active Content Blocking, which could lead to an attacker intentionally abusing video tags or other Tor-leaking features. Fixed in v1.5.0 (546a5434b1).
• OB-01-017 (Critical): The user is now prompted when another app launches Onion Browser via an "onionbrowser://" URI. Prevents a situation where an attacking website loaded in Safari may auto-launch Onion Browser with private user data in the URL (i.e. "onionbrowser://example.com?ip=xxx.xxx.xxx.xxx"), which could then be used to cross-reference the user's Tor activity with the user's real identity. Fixed in v1.5.0 (d7d1941d3d).

Other Identified Issues

• OB-01-001: Onion Browser now masks the current activity from appearing in the "app picker" thumbnail image when the app goes tobackground. (535fc0c130)
• OB-01-002/OB-01-003/OB-01-007: iOS File Encryption has been expanded such that all app data (not just settings/bookmarks) are now encrypted when the device is locked with a passcode. (7ec879611b)
• OB-01-012: For self-compiled version of Onion Browser, the app is not always compiled with Address Space Layout Randomization (ASLR), which could leave the app vulnerable to memory bugs. The app is properly compiled with ASLR when compiled for "Release". Users may test this by executing the following command on the output of the "Build" command (or against an already-compiled "OnionBrowser.app" copy that you have): `otool -hv </path/to/OnionBrowser.app>/OnionBrowser` (i.e., `otool -hv ~/Downloads/OnionBrowser.app/OnionBrowser`) The output should contain the "PIE" flag.
• OB-01-015: Autocomplete and autocorrect are disabled on all settings/bookmarks/address fields; autocorrect leads to user-typed text being stored in the iOS Keyboard Cache, which leaks data outside of the app's control. (a5a409876d)