New Alpha Release: Tor Browser 13.5a3

by richard | December 21, 2023

Tor Browser 13.5a3 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

Connect assist comes to Android

This alpha is the first release with Desktop's censorship circumvention feature (connect assist) available on Android! You can try it out for yourself by navigating to the Settings > Tor Network and selecting Enable beta connection features.

NOTE: This feature is very much in development and is still quiet brittle and liable to breakage. Do not toggle this option if you value your current Tor Browser for Android Alpha configuration. If this option gets the app into an unusable state, you can get back to the legacy bootstrapping system by clearing the app's storage and cache via the Android system settings. Of course, doing so will also delete any existing configuration options so please do not enable this option if this would be a problem for you.

When this feature ships in 13.5 in late spring/early summer 2024, Android users connecting from censored networks should have the exact same bootstrapping functionality Desktop users currently have. If they are unable to connect to the Tor Network, Tor Browser will query the anti-censorship backend to determine which pluggable transports and bridges they need to use based upon their locale and the current censorship landscape. The browser will then attempt to bootstrap once more with the new settings applied. Our hope is that this will take a lot of the guesswork out of connecting to the Tor Network for our mobile users, and ensure unfettered network access during censorship events.

For now we expect this new bootstrapping UX to be buggy, but we wanted to get it into the hands of users as early as possible so we can iterate and find and fix bugs as early as possible.

Known Issues

This is still feature is still very much a prototype, so there are a few known issues:

  • The 'Enable beta connection features' toggle currently only allows enabling the 'HTML UI'. Unfortunately the 'Native Android UI' option is not quite ready, but it should be available in 13.5a4 in January.
  • There is currently a white bar at the bottom of the 'HTML UI' connect assist screen. This 'HTML UI' is actually just the Desktop connect-experience with Android-specific modification to allow us to exercise the backend. It will be replaced with an Android-native frontend before 13.5 stabilises!

Why was this so hard?

Connect assist has existed on our Desktop platforms since version 11.5, so why has it taken so long to bring the same functionality to Android?

The fundamental problem is ultimately due to the fact that Tor Browser for Android and Tor Browser for Desktop do not share very much code beyond the low-level Gecko-based browser engine. So while low-level functionality such as fingerprinting, proxy-bypass, and linkability protections are easily shared between the browsers, much of the user-facing functionality people think of when they think of Tor Browser requires reimplementation in the parts which are not shared.

This includes things such as the circuit display, onion service authentication, the security level UI, connect assist and the management of the tor daemon itself. This means that historically, for each of these features, we have needed two parallel implementations: one for Desktop and one for Android (which is why for most of that list we have only one implementation).

The tor daemon management has historically been the most different between our two platforms. On Desktop, we inherited, integrated and encapsulated the tor daemon process and control port communication channels from the torbutton and tor-launcher XUL Firefox extensions. On Android we have the tor-android-service and tor-onion-proxy-library Java/Kotlin libraries. The way each of these components interacted with the rest of the browser is very different.

Fortunately, during the Tor Browser 13.0 release cycle we started the effort to unify our two tor daemon management systems into one.

To summarise, we encapsulated all of the tor daemon management behind a single TorProvider implementation in Tor Browser for Desktop, and rewrote all of the browser's calling logic (including connect assist) to use this new interface. So now, instead of having to completely re-implement the entire connect assist system in Java or Kotlin for Android, we instead just need to implement an Android-specific TorProvider and direct the existing connect assist backend to use that instead of the Desktop TorProvider. From there we 'just' need to develop the Android native frontend to use it.

With this coming convergence, the hope is that much of the work related to feature parity between the two platforms becomes a simple(r) matter of implementing the Android frontend and plumbing commands and events to and from the shared backend (rather than re-implementing the entire backend).

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.5a2 is:

Comments

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the moderators. Please do not comment as a way to receive support or to report bugs on a post unrelated to a release. If you are looking for support, please see our FAQ, user support forum or ways to get in touch with us.