Privacy Browser Android

Isn't SOCKS considerably less secure than HTTP_CONNECT, and vulnerable to MITM and such? I use HTTP_CONNECT personally, especially for a web browser.

The short answer is no.

The long answer is that under certain circumstances that don't apply to Orbot it is more secure. Those certain circumstances are 1) the protocol being used is HTTPS. 2) The data is transferring over a network where a man-in-the-middle attack could be performed.

In the case of Orbot, two proxy protocols are supported: HTTP and SOCKS. Neither of these are encrypted protocols, as opposed to HTTPS, which is an ecrypted protocol.

Also, in the case of Orbot, the URL is localhost. Basically, the data is just transferring from one program to another on the same device. As such, it doesn't traverse a network where it is possible for someone to perform a man-in-the-middle attach (hence, the reason why Orbot does not support an encrypted protocol).

Along these lines, The Guardian Project themselves recommend the use of SOCKS over HTTP for the proxy, to the degree that they don't frequently test the HTTP proxy and sometimes don't realize when it is broken. For example, see https://gitlab.torproject.org/legacy/trac/-/issues/26764.

As a further note, this feature request is simply to change the default custom proxy value. On really old versions of Android (KitKat, 4.4, API 19) SOCKS support wasn't possible. For quite some time, Privacy Browser has been using SOCKS proxying for Tor on newer versions of Android and using HTTP proxying on older versions of Android. Beginning with Privacy Browser 3.10 the minimum API is 23, so using the Tor proxy option defaults to SOCKS on all devices.

The default text of the custom proxy option was written as a guide that people could modify for their uses. But it seemed a good idea to make the default text usable even if unedited. Therefore, it was `http://localhost:8118`, which would work with Orbot on all devices. Now that the minimum API is 23, it makes more sense for the default text to be `socks://localhost:9050`, which is what Orbot recommends and works on all devices.

If someone really wants to use an HTTP proxy, they can always set the text to be whatever they like.

For those who might not be familiar with the subject, what is being discussed is the protocol used to communicate between Privacy Browser and the proxy. Even though, in the case of Orbot, both options are unencrypted, the actual communication between the browser and a website that moves inside that protocol can be, and ought to be, encrypted. Meaning that an HTTPS connection to a website works just fine inside an unencrypted SOCKS proxy between Privacy Browser and Orbot. This is similar to how a computer with an ethernet cable can send an encrypted HTTPS connection to a website over an unencrypted ethernet tunnel between itself and the switch on the other end of the cable.