tor
Tor Browser Mobile: Android, iOS, and Orbot Explained
Tor Browser on mobile — Android, iOS limitations, what Orbot really does, and the OPSEC pitfalls that make mobile Tor riskier than the desktop version.
Official Android builds exist and work — but phones bundle sensors, basebands, and often a SIM tied to your real name; most guides ignore that gap. Before trusting mobile Tor for anything sensitive, know what the apps actually isolate — and what stays exposed.
Tor on Android: The Official Tor Browser for Android
The Tor Project publishes an official Tor Browser for Android. It's the closest mobile equivalent to the desktop version — built on Firefox for Android (Fenix) with the same hardening philosophy: three-hop Tor routing, NoScript integration, fingerprint standardization, and per-session cookie isolation.
Install it from Google Play or download the APK directly from the Tor Project and verify the signature before installing. Don't install from third-party APK sites. As of version 13.5, Tor Browser for Android supports all three bridge types — obfs4, meek, and Snowflake — using the same bridge request workflow as the desktop version.
The Android version doesn't yet support all the security-level granularity of the desktop build, and extension support is limited. For most privacy use cases — reading, accessing .onion services, avoiding surveillance — it's solid. For high-stakes work, a dedicated device running Tor Browser on desktop (or better, Tails OS) remains the stronger option.
Tor on iOS: Onion Browser and Apple's Restrictions
Apple does not allow third-party browsers to use a custom networking stack on iOS. This means a Tor browser on iOS cannot route traffic through Tor the same way Tor Browser for Android does — Apple's sandbox prevents it.
The Tor Project's endorsed option for iOS is Onion Browser, maintained by Mike Tigas and endorsed (not built) by the Tor Project. Onion Browser routes traffic through Tor, but it runs in a more constrained environment than the Android version. Notably:
- Some WebRTC leaks are possible in certain configurations (the Onion Browser documentation covers mitigations)
- iOS background app refresh can interfere with the Tor circuit
- Apple's App Store review process means the app is subject to Apple's gatekeeping
Onion Browser is usable for casual Tor browsing on iOS. We don't recommend it for high-risk work. If you need serious anonymity on a mobile device, Android gives you meaningfully more control — and a dedicated device running stock Android with Tor Browser for Android is the floor, not the ceiling.
The EFF's guide to using Tor on mobile covers Onion Browser configuration in detail.
Orbot: What It Actually Does (and Doesn't)
Orbot is a Tor proxy app for Android maintained by the Guardian Project. It routes your device's traffic through Tor at the system level — not just inside a single browser. When combined with other apps configured to use Orbot as a SOCKS proxy, it can route those apps' traffic through Tor.
What Orbot is useful for:
- Routing specific apps (like Signal) through Tor if those apps support a SOCKS proxy
- Providing a system-level Tor connection for apps on rooted devices
- Functioning as a bridge to other Tor-aware tools
What Orbot is not:
- A replacement for Tor Browser. Orbot alone does not harden your browser against fingerprinting, doesn't manage cookies, and doesn't apply Tor Browser's JavaScript security controls.
- A full-device anonymizer. Most apps on your phone — including your dialer, SMS app, and background services — will not respect the SOCKS proxy even with Orbot running.
If you want to use both Tor Browser for Android and Orbot, they can run simultaneously — Orbot won't interfere with Tor Browser's own routing. But don't assume Orbot provides Tor Browser-level protection to everything on the phone. It doesn't.
Mobile OPSEC Pitfalls
This is the section that matters most. Tor on mobile protects your network traffic. It doesn't address the much larger attack surface that smartphones represent.
Device identifiers. Your phone has an IMEI number tied to hardware, an advertising ID, and (if SIM-active) a phone number linked to your real identity. Network traffic through Tor is anonymized; the device itself is not. Apps that access device identifiers — which is most apps — can link Tor-anonymized traffic to a real person through out-of-band signals.
Push notifications. iOS and Android push notifications route through Apple's APNs and Google's FCM respectively. These services log notification delivery to your device ID. An app that sends push notifications to your phone creates an association between your real device and the app's server — outside the Tor circuit entirely.
App trackers and sensors. Most apps use third-party analytics SDKs (Amplitude, Firebase, Adjust) that fingerprint devices using accelerometer readings, screen resolution, and battery level. These signals can persist across sessions and across apps. Tor Browser for Android doesn't intercept these — it's sandboxed to browser traffic.
Account leakage. If you're logged into Google on the same Android device where you run Tor Browser for Android, Google-powered services (including Play Store background sync) have your real identity. Compartmentalization matters: a separate device or a separate Android profile without Google services limits this exposure.
SIM-active devices. If your phone has an active SIM, your carrier knows your physical location via cell tower triangulation — regardless of whether Tor is running. This is a distinct threat from IP-level identification, and Tor doesn't address it.
Threat Model: Mobile-Specific
Mobile Tor's threat model is narrower than desktop Tor's. It protects network-layer traffic from your ISP and from the sites you visit. It doesn't protect your device's ambient data collection, your carrier's location records, or cross-app identity leakage.
Use mobile Tor when:
- You need to access a .onion service from a phone in a situation where carrying a laptop isn't practical
- You're on an untrusted Wi-Fi network and want to prevent the network operator from seeing your traffic
- Your threat model is ISP-level or site-level surveillance, not device-level forensics
Don't rely on mobile Tor when:
- Your threat model includes physical device seizure — both iOS and Android have forensics tools that extract data from locked phones
- You're using apps that phone home through push notifications or sensor-based fingerprinting
- You need the same anonymity guarantees as desktop Tor Browser
For high-risk work where anonymity actually matters, a dedicated laptop running Tor Browser with Tails OS is the appropriate tool. Mobile is a convenience option with a constrained threat model — treat it that way.
Frequently Asked Questions
Is Tor Browser for Android as safe as the desktop version?
Close, but not equivalent. The Android version applies Tor routing, NoScript, and per-session isolation. It doesn't match every desktop hardening feature, and Android's app sandbox introduces additional constraints. For casual privacy use, it's solid. For high-stakes work, desktop Tor Browser — or better, Tails — remains the stronger choice.
Does Orbot protect all apps on my Android phone?
No. Orbot provides a SOCKS proxy that apps must be explicitly configured to use. Most apps don't support or respect SOCKS proxies. Apps running as background services, apps using push notifications, and the system dialer all operate outside Orbot's protection.
Can I use Tor Browser for Android without Google Play Services?
Yes. Download the APK directly from torproject.org, verify the PGP signature, and install manually. Tor Browser for Android doesn't require Google Play Services to function. This is one way to limit Google's visibility into the app while using it.
Is Onion Browser on iOS endorsed by the Tor Project?
Yes, it's endorsed — not built. The Tor Project lists Onion Browser as the recommended iOS option and links to it from their download page. Mike Tigas maintains the project. Endorsement means the Tor Project believes it's the best available iOS option, not that it provides desktop-equivalent Tor Browser guarantees.
Related guides
- How to install Tor Browser on desktop — full setup guide with verified download
- Common Tor mistakes that break anonymity — errors that apply on mobile too
- Tails OS guide — amnesic operating system for higher-risk work