I think that I’ve found a bug within Tor Browser for android. When I visited disroots SearXNG instance, I noticed that the language was automatically set to en-IN(english-India), and that SearXNG automatically showed me Indian websites(I live in India). This was strange considering that I had not set any such preference earlier or provided any information that I was from India.
I initially assumed this must’ve happened because the exit relay for my connection might have been based in india, so I decided to check the location of the exit node I was using on various IP-checking websites. Interestingly, it showed that my exit relay was based in Luxembourg, not India. So I then forgot about this issue and later remembered it when I was messing around with my phones system language settings.
I then thought it might have something to do with my device language. So, I tested this by changing my device language to various other languages, and sure enough, the SearXNG instance was able to detect it. I think(I’m not sure) that this might potentially be a bug that could expose the country of the user in question. Please correct me if I’m wrong or if I’m being an idiot here, as I’m a noob when it comes to things like this.
I’ll provide some details regarding my OS, device, tor version, etc., below:
OS:Android 14, close to stock android(Stock ROM)
Device: Moto g34
Tor version: 13.0.14
Steps to reproduce: Go to a SearXNG instance, click on settings, and see if the device language matches the language shown by the engine
Tor Browser security level: Standard
Region I’m connecting from: India
Is tor censored in my country: no
I’m only reporting this issue because I’m concerned about search engines like Google and Bing using this info to partially fingerprint users.
Again, please tell me if I’m wrong or being an idiot here.
apologies that its so tiny on a phone … just pinch to zoom, and ignore any and all red warning notations on the entire test (my Tor Browser JS detection has been broken on Android since TB13, so it’s not applying TB specific checks)
Hi!
Yes, we have a patch to remove the regional part from locales, but it might be broken.
In addition to what @thorin already said, could you please check in a site like myhttpheader.com what’s the value of Accept-Language for you? (It should match what you see in TZP, and possibly not contain en-IN, but en, or en-US).
it should always matches languages and order but with q=0.x weightings. It certainly does on desktops - I tested them all because I am thorough
So my phone language is en-US. Going into settings and changing app language to fr (without a forced or prompted restart) this is what I get - so that’s definitely one problem
And Thorin, the request English versions slider is off, i.e., circle slid to the left, and in the list of languages, it says follow device language. Also, none of the languages in the list have a check mark next to them.
Unfortunately I do not have a non en-US phone. And there are several things going on, which may differ a little on mobile. Request English doesn’t behave the same when the original locale/language starts with en (such as en-IN, en-CA, en-GB). But the fact that the locale says en-US tells me things. Second is that this is not changing the languages to match the “request english” locale - i.e the bug I filed
One thing you could do is open about:config, search for intl and reset intl.accept_languages - but I don’t know exactly what state it is in (modified) - it probably thinks en-IN, en-US, en is correct, which is at least one of the issues
