I login to my reddit and twitter account only over Tor. I do this just so my accounts cannot be traced back to me (provided I don't say anything to personal on my reddit account)

But, I recently learnt about Orbot, which as far as I can tell, all it does is direct the traffic on my grapehenOS over tor.

So, I am considering downloading twitter and maybe reddit apps to my phone which I have refused to since moving to grapheneOS cause it seems like a recipe for disaster when it comes to personal privacy to download a close source app from a social media company onto my phone.

But, if I have Orbot and am running grapheneOS, and I install and run twitter and reddit, as far as I can tell, I get the same level of privacy protection as logging into my twitter account behind Tor with the exception of protection against browser fingerprinting, am I correct? and I am not sure how much personal user-specific information an app can glean about me using fingerprinting on my phone as its a mass-produced phone.

    Have to keep in mind that ANY data that is accessible by those closed source programs can be transferred through tor as well, which could render tor moot as a security measure.

    b3_k1nd_rw1nd There seems to be a big misunderstanding, using tor with javascript enabled (which is a requirement for the websites you listed) is flawed if you consider the website you visit an adversary. Tor prevents anyone on the network to see your online activity (like your ISP) but if you allow javascript, the website you visit and the ads/trackers running on it can do all the fingerprinting they want. Using the official app with Orbot offers the same protection : almost none. Understand that these services don't really care for your IP address, most of the time it changes regularly (daily basis), is shared by multiple users (family members) and/or is hidden behind an ISP's NAT giving a single IP to a whole neighborhood.
    If you want to surf these websites with a modicum of anonymity, you can either :

    • Use Nitter and Teddit if you can manage without an account
    • Download an open source alternate frontend which will prevent fingerprinting

    At that point, using Tor/Orbot will be useful.

      Welteam

      using tor with javascript enabled (which is a requirement for the websites you listed) is flawed if you consider the website you visit an adversary. Tor prevents anyone on the network to see your online activity (like your ISP) but if you allow javascript, the website you visit and the ads/trackers running on it can do all the fingerprinting they want.

      I am pretty sure that Tor protects against that sort of fingerprinting by

      1. clearing the cache and cookies with every new identity and
      2. substituting its own values for queries like GPU and display screen in order to decrease the number of unique attributes in the fingerprint.

      Also, if I take my thread model into account, i am more concerned with social media engine not being able to build a profile off me, and if they do that, not being able to link it to back to me specifically. I doubt using Tor with JS will allow that to happen as I am always careful to clean my identity after a session.

      which leads me to not be sure how you think using Tor is almost no protection with JS enabled.

        MetropleX changed the title to Benefits of using Orbot? .
        15 days later

        b3_k1nd_rw1nd Sorry for the delayed reply but I want to clarify some things for anyone interested.
        First, one should not confuse "Tor" and "Tor Browser" (aka. Tor Browser Bundle). Tor could be described as a routing algorithm designed to allow two parties to connect through TCP (and TCP only) without neither the client, the server nor the network knowing both client and server. Tor Browser is a Browser whose main specificity is to route all traffic through Tor.
        In my previous post, I wasn't particularly assuming that you are using Tor Browser but simply any browser with JS enabled. As for Tor Browser itself, while it is true that it does a lot of things to mitigate fingerprinting, it's far from completely removing the threat it poses to anonymity. Moreover, through my own research, I found little to no information on the feature parity between the desktop and android version so I wouldn't assume any of them is actually implemented in the android one. From what I saw, I also conclude that the development of the Android TB is way more unreliable than the Desktop TB. That's only my opinion.

        Finally, in regard to your threat model, using Tor is the first step but your focus should really be on the activity of your account. Do not reveal any personal info, limit interactions with anything with a sphere of influence below the national level, limit interactions with real world acquaintances, limit activity revealing political or religious belief, etc.

          22 days later

          Welteam First, one should not confuse "Tor" and "Tor Browser" (aka. Tor Browser Bundle). Tor could be described as a routing algorithm designed to allow two parties to connect through TCP (and TCP only) without neither the client, the server nor the network knowing both client and server. Tor Browser is a Browser whose main specificity is to route all traffic through Tor.

          That is true, I was in my head considering using Vanadium behind Orbot equivalent to using a desktop Tor browser and I agree about those differences you outlined.

          having said that, however, while I agree with your statement about that Android TB may not be as reliable as the Desktop TB, seems to me that if I were to install Twitter on a grapheneOS phone which is using Orbot/Tor as a VPN, it gives me much of the same protection (though I admit not all) as a Desktop Tor browser

          • My IP is hidden
          • the app is not able to see devices on my local network
          • Most of the "identifying" settings on my phone as generic and not specific to me due to being a mass-produced phone (the only identifying settings is probably things like the timezone)

          The only issue I really see is the data that the Twitter app would itself save to my device and if I do not give the app permission to anything except Network and Notifications, I have a hard time seeing how it can glean anything useful about me in particular.

          Finally, in regard to your threat model, using Tor is the first step but your focus should really be on the activity of your account. Do not reveal any personal info, limit interactions with anything with a sphere of influence below the national level, limit interactions with real world acquaintances, limit activity revealing political or religious belief, etc.

          This I agree with. And I use my twitter account only to follow folks/organizations I find interesting or to save things to bookmarks. I have no interest in ever tweeting in an effort to ensure Twitter can't build a profile off of me based on what I tweet, though I am sure they already have a profile of me based on who I follow.