I've been googling to find the most private browser for my device running GOS and most of the people said just to use the default Vanadium browser.

How is it even private / secure when it's developed on top of Chromium? Does Chromium itself not send any data to Google? Can we be sure?

Also, I jist discovered a hardened android firefox app on fdroid. Since I use hardened Firefox on my laptops, I'd enjoy using it even on my phone. Surely, eith the hardening provided by Mull and U-Block Origin, the app must be more private than a lighyweight Chrome, right?

Please do respond if you have any more info than I do, I'm inexperienced in this field.

    • [deleted]

    • Edited

    Lixiris How is it even private / secure

    It's secure because it actually—thanks to chromium—has sandboxing.

    Lixiris Does Chromium itself not send any data to Google? Can we be sure?

    You're free to analyze your mobile phone's internet activity by any means. Vanadium doesn't send any data to Google AFAIK.

    Lixiris . Surely, eith the hardening provided by Mull and U-Block Origin, the app must be more private than a lighyweight Chrome, right?

    privacy != security. And uBlock doesn't "harden" your browser in any way. uBlock simply blocks ads. It also won't make real world browser fingerprinting techniques less successful. But it could easily weaken your anti-fingerprinting precautions if you were to install a custom rule (a regional blocklist it offers), for example. Try visiting this website multiple times using different browsers with different configurations to see fingerprinting in action. https://abrahamjuliot.github.io/creepjs.

    the app must be more private

    Depends on what it means to you. I honestly can't answer to this part of your question since you mixed up privacy & security.

    Assuming you want a quick rundown: You can't make your device unidentifiable yet still usable for day-to-day browsing on an Android yet. I tried Tor Browser on Android years ago just to find out it tells websites you visit phone's locale as well as local time. Vanadium is a great browser because it's more secure, but it won't save you from real world browser tracking.

    I should also warn you about installing many browser extensions.

    Lixiris How is it even private / secure when it's developed on top of Chromium?

    Vanadium is not a privacy browser, it is meant to be a security-hardened browser. Mull is the opposite: it is preconfigured for privacy but less security hardened than Vanadium.

      Be aware that especially on Firefox even the Arkenfox project mixes up

      • removing "everything mozilla" including update infos and useful telemitry
      • disabling annoyances
      • reducing sent data and fingerprintability (privacy)
      • disabling or limiting components that increase attack surface (security)

      I think NoScript is a great example of Security and Privacy in one tool. For sure you can run all that tracking Javascript in a container, but it is more risk and at the same time a data kraken.

      Vanadium sends nearly no data, it is also degoogled, which works well also on Desktop Chromium, even using your Distribution package.

      But simply "not sending data" doesnt mean that it allows

      • persistent site data containers
      • fingerprinting resistance
      • i.e. less identifiable data about device sent
      • & more general fingerprint
      • & randomized values

      Vanadium does nothing of that afaik, probably reduces data collection but nothing fancy like RFP on Firefox. Also its UI for site-based settings sucks and is very limited. Things for containers and cookie allowlisting (the rest gets always cleared) are missing a lot.

      Even MS Edge has more QOL settings, Brave is poorly very bloated, not sure about Vivaldi. Chrome & Chromium have nearly no settings, I have no idea why people use that Browser.

      Using hardened_malloc on Secureblue Linux, I am trying to use Chromium and it is totally okay, just the sync is really missing. And needing an extension to get a blank new tab page. And more. But it is okay!

        • [deleted]

        missing-root I am trying to use Chromium

        Desktop Chromium actually still sends more data when interacting with Google Services. See https://github.com/ungoogled-software/ungoogled-chromium?tab=readme-ov-file#feature-overview

        missing-root Be aware that especially on Firefox even the Arkenfox project mixes up
        removing "everything mozilla" including update infos and useful telemitry

        Arkenfox is a DIY guide, not a holistic package of settings, and they actually don't advise people to disable autoupdates. Arkenfox's main point against Librewolf is essentially about them shipping updates too late.

        missing-root I think NoScript is a great example of Security and Privacy in one tool.

        uMatrix is actually better :)

        • N1b replied to this.

          Lixiris Firefox sends data to multiple Google services by default and Vanadium does not, so you have that backwards.

          Firefox on mobile and Mull have no sandboxing. Mull is not security hardened but rather privacy hardened.

          BluishHumility Vanadium fully intends to add substantial privacy features. It already has added privacy features and is in the process of adding much more. It takes us longer to do these things since we care about doing them properly. We want to avoid having huge holes in the state partitioning for cookies.

          missing-root That's wrong about Vanadium. It does reduce the device information that's sent by forcing the frozen user agent header and using fake values for client hints based on it.

          Vanadium does have state partitioning and anti-fingerprinting improvements which are being expanded. Anti-fingerprint doesn't actually work when using any niche browser or niche configuration though, only a mainstream browser on a small set of hardware models with partitioning by default can hope to prevent easy fingerprinting. Safari is the only candidate for that. Firefox with custom settings is more easily fingerprintable, not less. We're in the process of implementing full state partitioning including support for fully partitioned cookies instead of very weakly partitioned cookies like Safari, Brave and Firefox with major bypasses to keep sites working. We can do that by default, but with a simple toggle for full partitioning.

          Chromium doesn't really use malloc. They reroute everything to PartitionAlloc. Vanadium has memory tagging enabled for PartitionAlloc when available (Pixel 8 and Pixel 8 Pro), unlike other Chromium-based browsers. We plan to add more hardening to PartitionAlloc just like we've added hardening that's now partially upstream for the Linux kernel slab allocator. It would be better to outright replace these allocators as we do with the main allocator in the OS (malloc) but we can't do everything ourselves with our limited resurces.

            The sad reality is that Firefox is dying. It is easy to understand now why only chromium-based browsers are to be used in 2024, as long as there is no good alternative.

            • [deleted]

            Lixiris Use vanadium if you're looking for privacy. Drop all firefox browsers, including tor.

              • [deleted]

              BluishHumility How can firefox be privacy friendly if each and every web page is not isolated!

              • [deleted]

              A few weeks ago I read an article by security researchers who said that even Google's chrome browser was more privacy-friendly than tor! That's how bad firefox is.

                [deleted] A few weeks ago I read an article by security researchers who said that even Google's chrome browser was more privacy-friendly than tor!

                Pls stop. Tor browser still has outstanding privacy and saying that Chrome is better in that regard is nonsense.

                  • [deleted]

                  TheGodfather And I would add that we have on this forum a person who claims to have the biggest exit knot, and this person has police raids at home. It's him who says it, he can confirm it. Not only is this browser fundamentally insecure, which ruins privacy, but the biggest exit node is most likely being monitored. Once again, the privacy of this browser is a matter of belief.

                    [deleted] the privacy of the tor browser is about blending in. Nothing more. It’s relatively insecure compared to chromium because it’s Firefox, albeit hardened, but that may not necessarily matter due to the fact it’s being used in the tor network.

                      • [deleted]

                      mmmm If the tor network is being monitored, and it is, then what's the point of using it?

                      • mmmm replied to this.

                        GrapheneOS agreed about firefox sending data to google. The same happens with LibreWolf on Linux unfortunately.

                        Happy to hear that vanadium is getting more privacy focused in the long run.

                        • Edited

                        [deleted] I mean if it’s inevitable you die, why be born, right?

                        The tor network is indeed a hot bed of criminal activity, and certain parts of it can be monitored yes. There are certain dangers to be aware of. That doesn’t mean that it’s unusable. It doesn’t mean * you’re * automatically being monitored.

                        You appear to have read some info that’s put you on a path towards completely mistrusting a relatively trustless system. I think you should go and read up a bit on all this, from proper sources. Start with Tors own site, it clearly states the limitations and advises in how to properly use it.