We all have our favorite browsers for one reason or another, maybe its what came pre-installed on your phone or its the one your chose. Whatever the reason we use the browser we do, we will examine a report on how they behave when the run for the first time.
We recently report on an independent review by Douglas Leigh of Trinity College Dublin, in which he examined the information sharing practices of commonly used desktop browsers Google’s Chrome, Mozilla’s Firefox, Brave, Apple’s Safari, and Microsoft’s Edge. We came across this report tweeted by Brave and after reading it thought that our readers who use iOS would benefit from from a summary of it. The report is from Sampson, Senior Developer Relations at Brave. I will tell you right now that Brave comes out of this looking really good, but that shouldn’t be that surprising given the report from Trinity College. Sampson specifically reviews what each of the browsers do after a first run which is fresh install of the browser on iOS. For Safari it would be the first time Safari was started on a new iPhone or after an iOS reset.
The iOS browsers included in this test are:
- DuckDuckGo 18.104.22.168
- Mozilla FireFox 24
- Google Chrome 80.0.3987.95
- Microsoft Edge 45.2.16
- Brave 1.15
According to Sampson, DuckDuckGo issued 13 requests and all of them were to their own domains. The first request as Sampson points out is to staticcdn.duckduckgo.com/trackerblocking/v2/tds.json, which loads info used in DuckDuckGo’s default tracker-blocking behavior. He goes on to say “Much of the file contains meta-information (such as user-friendly names and categories) for various known tracker entities.”
The second request is to improving.duckduckgo.com/t/m_o_ios_tablet, which Sampson says “appears to collect anonymous usage information, similar to Brave. DDG informs the server that I am on a tablet, and that I am using version 22.214.171.124 of the browser. The server responds with a transparent GIF. This request relates to DDG’s anonymous a/b testing. See Improving DuckDuckGo for more.”
He goes on to the next calls “are related to HTTPS Upgrades, 21 URLs which should temporarily be exempted from tracker-blocking (likely for compatibility), and lastly a set of “surrogates” which can be injected into the context of a page to prevent breakage whilst blocking trackers.”
He concludes with typing Brave into the address bar to see if his keystrokes were sent out. DuckDuckGo “does indeed transmit keystrokes as part of its default configuration. Typing “brave” resulted in 5 calls to DDG’s auto-complete service. Each letter inserted resulted in a payload of JSON being downloaded with a set of phrase predictions.”
A browser considered a privacy stalwart was review next. Upon first fun FireFox made 14 calls. Sampson says that most were to mozilla.net endpoints, but a few went to other domains like api.leanplum.com and app.adjust.com. What are those domains? Well, Leanplum is a marketing apparatus who receives a data points like “including the appId, version, a timestamp, my timezone, the client platform, a “client key”, and an encoded JSON string of additional “data”.” That JSON string contains “deviceId, a userId, and a uuid (universally unique identifier).”
Sampson went on to say “Firefox also informs Leanplum whether or not I happen to have also installed Firefox Focus, Pocket, and/or Firefox Klar (a telemetry-free build of Firefox Focus for German markets). The JSON also has location, country, city, and region values of “(detect)”, though it is not clear to me what this value means.” A few other points added:
- When Firefox launches, it displays regional news items beneath the “Trending on Pocket” headline. These items are retrieved from getpocket.cdn.mozilla.net/v3/firefox/global-recs. Firefox sends over the number of items requested, the user’s language and locale, a version (presumably for Pocket), and a consumer key (these are per-app, so all Firefox users on iOS are likely to share this value).
- The next item I noticed was a POST to the mobile marketing platform adjust.com. This network call contained quite a bit more information than previous ones. In this call (to a third party, mind you), I can see 28 pieces of information, including a persistent_ios_uuid token. I should mention that there is a tracking_enbled entry too, which has a value of 0. The server responds with a small payload of JSON data, which includes an adid (ad ID?). Moments later another call is made to adjust.com with my persistent_ios_uuid and more; the response confirms that these calls are for tracking attribution.
- The last step in this review was to type “brave” into the address bar, and see if Firefox, out of the box, would send my keystrokes off to a remote party. In fact, it does. However, unlike DDG (which sends keystrokes to duckduckgo.com), Firefox sends keystrokes directly to google.com, passing along “firefox” as the client for attribution.
Related Reading: FireFox
All right here is the one that everyone all ready knows is a major offender, so let’s see just how bad it really is. Chrome issued 35 requests, remember FireFox only sent 14 and DuckDuckGo only sent 13. Sampson goes on to highlight the calls it made:
- Chrome first calls out to update.googleapis.com/service/update2 to check that the browser is up to date. In addition to the browser version and my device platform, the XML payload also contains a userid.
- Next, Chrome requests a JSON payload of suggested sites for American audiences. This data comes from gstatic.com/chrome/ntp/suggested_sites_US_5.json. The response contains URLs for icons, which Chrome then proceeds to download from each of the respective domains. For the most part, these image requests don’t appear to result in many cookies. Wikipedia does set a cookie, and includes within it my Country, State, City, and Coordinates. This cookie persists in future user-navigations as well.
- Similar to Chrome on desktop, clientservices.googleapis.com/chrome-variations/seed is pinged to retrieve Field Trials for this particular browser instance. Like Firefox, Chrome displays news on its new tab page. chromefeedcontentsuggestions-pa.googleapis.com/v2/suggestions/fetch is responsible for serving this data to the browser instance. It’s worth noting that in other browsers, this type of data typically comes with an image to display as well. That isn’t the case with Chrome. Instead, the URL of the site is passed to a Google Service, and an image is returned for displaying. This prevents your browser instance from reaching out to third-party domains.
- At the end of this brief walk through Chrome’s network activity, I continued my tradition of typing “brave” into the address bar to see what, if anything, would happen. Unsurprisingly, Chrome calls to the same endpoint as Firefox, noting the client is chrome.
Related Reading: Google Chrome
Up until a few years ago we only had Microsoft’s Edge on Windows 10 PC’s, but today it has become a cross platform browser like the other browsers in this review. In many ways Edge has gone through the most rapid advancements of any other browser as Microsoft has poured massive resources into clawing market share away from Google’s overwhelming dominance (68%). But as discovered Microsoft’s Edge browser, for all of the positives, still has some glaring flaws.
Edge issued 115 requests to 27 domains and as Sampson points out many of them were Microsoft owned domains like msn.com, bing.com, windows.net and msedge.net. He also points out that some were made to 3rd party’s as well like “taboola.com, zemanta.com, bttrack.com, creativecdn.com, liadm.com, akamaized.net, scorecardresearch.com, braze.com (not to be confused with brave.com), doubleclick.net, ml314.com, bluekai.com, and more.”
Sampson makes a point to detail the kinds of data being sent out like “In the first request Edge makes (to settings.data.microsoft.com), I see a 32-bit deviceId. Out of curiosity I deleted Edge, re-installed, and found that an identical ID was generated again. This token is immediately sent to onesettings-windowsservices-tas.msedge.net as a “clientid”. The token is shared with other Microsoft domains, which isn’t very surprising. I was, however, fairly surprised to find that this token was shared with non-Microsoft endpoints too (e.g. app.adjust.com, sdk.iad-01.braze.com).”
He went on to add “As is the case on desktop, Edge for iOS loads its new tab page from http://www.msn.com. Specifically, it loads msn.com/spartan/mmx?locale=en-us&rt=1 in my case. This page then proceeds to connect with numerous third-parties, centered largely around Real-Time Bidding, and auctioning ad-space (and the user’s attention) off to various advertisers. Edge makes regular calls to c.msn.com/c.gif; these requests contain information about the page being accessed, my resolution, language, and more. They also contain timestamps, an activity ID, and a MUID cookie. The server responds by informing the browser to redirect the same information to c.bing.com, pass this data on to another host. A cursory scan of the traffic reveals my MUID cookie value is also sent to third parties like api.taboola.com, ml314.com, and pxl.connexity.net. Note, these are the advertisers who (presumably) won the auction for my attention. As such, this information is likely to be shared with far more entities.”
Sampson point out that “While Edge for iOS ships with AdBlock Plus, the extension is off by default and must be enabled by the user. Upon enabling, the user is informed that they will still see “acceptable ads”. After enabling, I restarted Edge to see if the connections would look any different—they weren’t. I still noticed several calls to sites like doubleclick.net, taboola.com, and more. I would have expected AdBlock Plus to prevent these calls, since they’re third-parties, and known trackers.”
Finally he explains “Edge, like many of the browsers we’ve examined today, also emits pings for each keystroke in the address bar. As I typed “brave”, c.bingapis.com/api/custom/opal/suggestions/web began to fill my network logs; one entry for each letter added to the search term. It’s worth noting the 32-bit deviceId I mentioned at the start is sent with each call to c.bingapis.com as a custom request header.”
Related Reading: Microsoft Edge
Brave’s first request was issued to “data.s3.brave.com/US/photo.json, retrieving information regarding Sponsored Images. The server responded with 524 bytes of JSON containing the current New Tab Page (NTP) sponsor, web addresses for a logo and 3 background images, the sponsor URL, and coordinates for the focal point of each background image.”
After that Brave then “proceeds to download JSON and Rust versions of its internal ad-block list from adblock-data.s3.brave.com/iOS13/. The JSON list is used for ad-blocking functionality, whereas the Rust list is used for recording blocking-statistics (displayed on the new tab page). Browsers which don’t intend to present blocking-statistics need only to load a single blocking list. The final request made by Brave during its first-run is to laptop-updates.brave.com/1/usage/ios for the purpose of anonymously measuring daily and monthly active user numbers. This request carries with it only a few pieces of non-identifying information: channel, version number, the week of installation, and a set of booleans indicating whether this is an initial, daily, weekly, or monthly run.”
Like with the other browsers in this review he typed brave into the address bar to see if keystrokes were unexpectedly being sent. According to Sampson, Brave did not send keystrokes out in real time.
Related Reading: Brave
This is a test of iOS browsers and naturally we cannot leave out Apple’s built in browser Safari. Like I mentioned in the intro, to truly test a first run of Safari, you would have to have a new iPhone and testing using Safari for the first time or reset the iPhone to factory settings. Samspson did not do this in his review of Safari.
- One thing we can observe is what Safari does with keystrokes. Like every browser reviewed (with the exception of Brave), keystrokes are automatically sent to a remote server. While DDG sends them to their own service endpoint, Safari joins the rest of the browsers in sending user keystrokes directly to Google.
- On as fresh an instance as I could create, I typed “brave” into my iPad and recorded the network activity. clients1.google.com/complete/search was queried once per letter-added, with the client being recorded as “iphonesafari”.
- Apple also sent some keystrokes to their own endpoint at api-glb-atl.smoot.apple.com/search, with quite a few more data points. This endpoint appears to make app suggestions. The data sent includes my country, language, type of connection, keyboard layout and language, coordinates, timezone, and query (“brave”, in this case).
Related Reading: Safari
What’s the conclusion?
Sampson concluded with “We covered 7 browsers very briefly today, taking a cursory look at what they do during their first-run on iOS. For those who have read similar reviews in the past, the results may not be all that surprising. Privacy-focused browsers like Brave and DDG maintain strict adherence to transmitting as little information as possible, though DDG’s transmission of keystrokes may come as a surprise to some users. Browsers which ship a heavier New Tab Page tend to introduce quite a few third-party connections. This was the case with Chrome, Firefox, and Microsoft Edge. Edge, however, remains the most active of the set (this is the case on desktop as well), issuing far more requests than all of the other browsers combined, and many to third-parties.”
Sampson concluded with “At Brave, we work very hard to ensure the user is not unintentionally connecting to third parties and transmitting potentially sensitive information in the process. I was very encouraged to see DDG following so closely to that line of thinking as well. Chrome, Firefox, and Edge remain predictably behind in this regard.”
Download Brave for iOS today, and experience a better Web.