iOS App Store Under Attack By Fake Tor Browsers

Multiple, potentially state-sponsored, browser applications have been created on the iOS App Store that are not approved by the official Tor project, and are not open source. This is a major privacy concern for iPhone users who have installed these applications who are under the assumption that they are safe. These deceptive applications have been appearing on the App Store to try and make themselves look like a legitimate version of the Tor browser, these applications are not trusted or vetted for use for a user who is concerned about their privacy or security.

Why This is a Concern

The Tor browsers is designed with privacy in mind, an adversary can bypass the privacy features of Tor if they compromise the browser running on your device. All Tor browsers on the iOS store as of now are fake, there is no official build of Tor for iOS. These applications are not open source and may have been developed by governments to spy on people who think what they are doing is private.

These browser applications pose a severe security and privacy risk to Tor users on iOS, there is nothing stopping these fake closed-source browser applications from logging what you are doing on Tor and sending it back to an attacker's server. What is even worse is that these applications are designed to trick users into thinking they are legitimate and approved, this deception makes the claim that these browsers are acting maliciously more credible.

The Privacy Risks

The privacy risks of using an unknown, unapproved Tor browser can be major. Usually, to compromise a user on the Tor network an attacker has to perform a complex attack to compromise all 3 of the nodes the user is using, and this only applies to clearnet websites. When a user is connecting to a Tor onion domain, it is virtually impossible to compromise the connection because there is no exit node. The level of protection the Tor network provides can be fully bypassed if an adversary has a backdoor into the Tor client you are using, because it is able to view what you are connecting to and what you are doing.

Due to the fact that these browsers are intentionally making themselves look official, an act of deception, it is not far-fetched to suggest that they may be doing more sinister things than just allowing users to connect to Tor. These browsers are nothing more than a fork of Safari that connects through a running Tor proxy, coupled with whatever spyware is running inside of them.

The Security Risks

The risks to users who use these fake browsers do not end at privacy concerns, the security of your connection is at risk when using these browsers. The Tor project only uses Mozilla's Gecko web engine across all devices, this ensures that it is consistent across devices and makes it much harder to fingerprint a single device. As per the iOS App Store rules, all browsers must use the Safari web engine (WebKit) including these fake Tor browsers. Due to this difference in web engines, fingerprinting users who use these deceptive browsers is easier, this can potentially compromise their identity and security when accessing Tor.

Why Tor is not on iOS

Tor is not on iOS because of the draconian App Store rules that dictate what software individual apps are allowed to use. Browsers for iOS must use the Safari web engine, this is not a web engine that Tor officially supports and they will not release a browser for this web engine due to fingerprinting concerns. It is possible that Tor may come to iOS one day because of the EU pushing against Apple's restrictive guidelines.

How To Mitigate This Attack

This attack only affects users who actively use or have used these deceptive spyware browsers, if you have not installed these apps then you obviously are not affected. If you are on iOS, it is impossible for you to use Tor safely because it is not officially supported. It has been made clear time and time again that if you own an iPhone you do not have full control over what your own phone is allowed to do, you are effectively paying for the privilege of being told what apps you are and are not allowed by a multi-trillion dollar child-slave corporation. If you are a mobile user and want to explore Tor safely, you should consider purchasing a phone that allows you to do as you please with the product you paid for.