-
-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated recommended Brave configuration #2561
base: main
Are you sure you want to change the base?
Conversation
…e users about Brave and Google Play Services
✅ Your preview is ready!
|
Please see the following update: https://discuss.privacyguides.net/t/latest-brave-for-android-has-a-hard-dependency-on-google-play-services-microg/18085/30 |
docs/mobile-browsers.md
Outdated
<div class="admonition warning" markdown> | ||
<p class="admonition-title">Warning</p> | ||
|
||
Brave for Android has a hard dependency on Google Play Services, and as a result will not work on [AOSP derivatives](https://www.privacyguides.org/en/android/#aosp-derivatives) without additional tweaks, such as [Sandboxed Google Play](https://grapheneos.org/features#sandboxed-google-play) on GrapheneOS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is already a merged PR that fixes this regression (you can find it in the forum post I linked here), so this section shouldn't be necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
As noted by @redoomed1, we don't want to jump the gun with adding warnings about issues that are ultimately temporary, unless they are long lasting or recurring problems. In this case it was an upstream issue that Brave is fixing.
Other changes LGTM at a glance, I'll check them out on my phone in a bit. Not sure about the safe browsing one. I think there was a previous discussion about the safe browsing setting already, but I'm not sure... I'll look for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding Safe Browsing on Brave (Android), here are some relevant excerpts and links to documentation:
-
Relevant excerpt
On Android, we use the SafetyNet Safe Browsing API which sends partial URL hashes directly to Google when a URL is determined to be potentially malicious by the list stored locally on your device, as per the Safe Browsing Update API.
-
Brave's official documentation on their implementation of SB
Relevant excerpts
In the "Android" section
Unlike the desktop browser (which downloads and maintains its own lists), the Android version of Brave makes use of a service provided by the operating system. Specifically, it uses the SafetyNet Google Play API and on-device lists that are shared between all of the applications performing Safe Browsing checks. Android devices without Google Play Services are currently unable to enable Safe Browsing in Brave.1
Checking a URL against the local Safe Browsing lists follows the same steps as with the desktop browser, since the SafetyNet API also makes use of the Safe Browsing Update API. The only difference is that any requests from the operating system service to the Safe Browsing server (whether they originate from the Brave application or not) are done directly and do not go through a Brave proxy. This means that your IP address may be seen (and logged) by Google.
-
Developer documentation on the SafetyNet Safe Browsing API (referenced in the previous excerpts)
-
Developer documentation on the Safe Browsing Update API (referenced in Brave's Safe Browsing docs)
Relevant excerpts
The Update API lets your client applications download hashed versions of the Safe Browsing lists for storage in a local database. URLs can then be checked locally. Only if a match is found in the local database does the client need to send a request to the Safe Browsing servers to verify whether the URL is included on the Safe Browsing lists.
In the "Checking URLs" section
At no point does Google learn about the URLs you are examining. Google does learn the hash prefixes of URLs, but the hash prefixes don’t provide much information about the actual URLs.
This is all to say that the footnote under the optional suggestion about Safe Browsing should reference official docs, and offer more clarity about Brave's implementation of SB on specifically Android. I find the current footnote somewhat ambiguous.
I might draft one later if I have some time. See #2561 (comment).
Footnotes
-
Emphasis mine ↩
Co-authored-by: Jonah Aragon <jonah@triplebit.net> Co-authored-by: redoomed1 <161974310+redoomed1@users.noreply.github.com> Signed-off-by: 5-tom <132141431+5-tom@users.noreply.github.com>
Thank you for your changes! I've applied them to the file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this text different between iOS and Android, or what?
Signed-off-by: Jonah Aragon <jonah@triplebit.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As is, LGTM.
Changes proposed in this PR:
Warning about Brave's Google Play Services dependencyUpdated recommended Brave configuration #2561 (comment)Contribution terms (click to expand)
1) I am the sole author of this work. 2) I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. 3) I have disclosed any relevant conflicts of interest in my post. 4) I agree to the Community Code of Conduct.