Cromite browser was a privacy and security oriented Android browser.

Their latest update was in 21th of May: v148.0.7778.168.

Their commit history also suggest that the browser is slowly being sunset.

To put it into context, the current version of chrome on Android is 150.0.7871.63, released on 30th of June.

  • grue@lemmy.world
    link
    fedilink
    English
    arrow-up
    53
    arrow-down
    6
    ·
    2 days ago

    YSK that every Chromium-based browser is harmful and should be avoided, regardless of how up-to-date it is.

      • grue@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        23 hours ago

        It’s not a “privacy for you right now” thing; it’s a “big picture/health of the Web as a whole” thing. I explained already in other replies.

      • grue@lemmy.world
        link
        fedilink
        English
        arrow-up
        31
        arrow-down
        1
        ·
        2 days ago

        As a GrapheneOS user I’m aware of the developers’ arguments for it, but it has the same problem as every other Chromium browser: Google controls the upstream code, so it’s still going to contribute to Google’s harmful hegemony over web standards.

        It probably is more “secure” than Firefox, though, measured against the GrapheneOS devs’ threat model. But my problem with Chromium is one they don’t even try to address.

        • gedfromgont@piefed.ca
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 days ago

          Going with that argument though, isn’t the whole of GrapheneOS then problematic as Google also controls that upstream code?

          • grue@lemmy.world
            link
            fedilink
            English
            arrow-up
            19
            ·
            edit-2
            2 days ago

            The rest of GrapheneOS doesn’t influence how web developers design websites, or what fingerprinting and other private information the browser allows sites to steal from users.

            It’s not just Manifest V3, either. It’s also the “Web Environment Integrity” API (read: DRM for websites) and “WebMCP” and such. Those are the sorts of monopolistic practices and enshittification you’re supporting and endorsing whenever you use a Chromium-based browser, including Vanadium.

      • 9tr6gyp3@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        7
        ·
        2 days ago

        Please use it over any <insert any non-chromium browser engine here> browser.

        • Ludicrous0251@piefed.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          20 hours ago

          Why? For my threat model? I like having my adbocker in Firefox. I’ll take uBlock blocking ads and trackers every minute of every day over hardening against some exotic exploit I’m never going to encounter.

          No, I’m not taking the “why should I care I have nothing to hide” privacy stance, but the XKCD “4096-bit-encryption-pipe-wrench” stance.

          • 9tr6gyp3@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            19 hours ago

            GrapheneOS includes our Vanadium subproject providing privacy and security enhanced releases of Chromium. Vanadium is both the user-facing browser included in the OS and the provider of the WebView used by other apps to render web content. The WebView is the browser engine used by nearly all other apps embedding web content or using web technologies for other uses. It’s also used by many minor web browsers not forking Chromium as a whole. These apps using the WebView benefit from a subset of the Vanadium hardening.

            Vanadium was previously primarily focused on security hardening but we plan on adding assorted privacy and usability features. In the near future, we plan to add support for always incognito mode, improved state partitioning, backup/restore and many other features.

            Chromium-based browsers like Vanadium provide the strongest sandbox implementation, leagues ahead of the alternatives. It is much harder to escape from the sandbox and it provides much more than acting as a barrier to compromising the rest of the OS. Site isolation enforces security boundaries around each site using the sandbox by placing each site into an isolated sandbox. It required a huge overhaul of the browser since it has to enforce these rules on all the IPC APIs. Site isolation is important even without a compromise, due to side channels. Browsers without site isolation are very vulnerable to attacks like Spectre. On mobile, due to the lack of memory available to apps, there are different modes for site isolation. Vanadium turns on strict site isolation, matching Chromium on the desktop, along with strict origin isolation.

            Chromium has decent exploit mitigations, unlike the available alternatives. This is improved upon in Vanadium by enabling further mitigations, including those developed upstream but not yet fully enabled due to code size, memory usage or performance. For example, it enables type-based CFI like Chromium on the desktop, uses a stronger SSP configuration, zero initializes variables by default, etc. Some of the mitigations are inherited from the OS itself, which also applies to other browsers, at least if they don’t do things to break them.

            We recommend against trying to achieve browser privacy and security through piling on browser extensions and modifications. Most privacy features for browsers are privacy theater without a clear threat model and these features often reduce privacy by aiding fingerprinting and adding more state shared between sites. Every change you make results in you standing out from the crowd and generally provides more ways to track you. Enumerating badness via content filtering is not a viable approach to achieving decent privacy, just as AntiVirus isn’t a viable way to achieving decent security. These are losing battles, and are at best a stopgap reducing exposure while waiting for real privacy and security features.

            Vanadium will be following the school of thought where hiding the IP address through Tor or a trusted VPN shared between many users is the essential baseline, with the browser partitioning state based on site and mitigating fingerprinting to avoid that being trivially bypassed. The Tor Browser’s approach is the only one with any real potential, however flawed the current implementation may be. This work is currently in a very early stage and it is largely being implemented upstream with the strongest available implementation of state partitioning. Chromium is using Network Isolation Keys to divide up connection pools, caches and other state based on site and this will be the foundation for privacy. Chromium itself aims to prevent tracking through mechanisms other than cookies, greatly narrowing the scope downstream work needs to cover. The focus is currently on research since we don’t see much benefit in deploying bits and pieces of this before everything is ready to come together. At the moment, the only browser with any semblance of privacy is the Tor Browser but there are many ways to bypass the anti-fingerprinting and state partitioning. The Tor Browser’s security is weak which makes the privacy protection weak. The need to avoid diversity (fingerprinting) creates a monoculture for the most interesting targets. This needs to change, especially since Tor itself makes people into much more of a target (both locally and by the exit nodes).

            WebView-based browsers use the hardened Vanadium rendering engine, but they can’t offer as much privacy and control due to being limited to the capabilities supported by the WebView widget. For example, they can’t provide a setting for toggling sensors access because the feature is fairly new and the WebView WebSettings API doesn’t yet include support for it as it does for JavaScript, location, cookies, DOM storage and other older features. For sensors, the Sensors app permission added by GrapheneOS can be toggled off for the browser app as a whole instead. The WebView sandbox also currently runs every instance within the same sandbox and doesn’t support site isolation.

            Avoid Gecko-based browsers like Firefox as they’re currently much more vulnerable to exploitation and inherently add a huge amount of attack surface. Gecko doesn’t have a WebView implementation (GeckoView is not a WebView implementation), so it has to be used alongside the Chromium-based WebView rather than instead of Chromium, which means having the remote attack surface of two separate browser engines instead of only one. Firefox/Gecko also bypass or cripple a fair bit of the upstream and GrapheneOS hardening work for apps. Worst of all, Firefox does not have internal sandboxing on Android. This is despite the fact that Chromium semantic sandbox layer on Android is implemented via the OS isolatedProcess feature, which is a very easy to use boolean property for app service processes to provide strong isolation with only the ability to communicate with the app running them via the standard service API. Even in the desktop version, Firefox’s sandbox is still substantially weaker (especially on Linux) and lacks full support for isolating sites from each other rather than only containing content as a whole. The sandbox has been gradually improving on the desktop but it isn’t happening for their Android browser yet.

            • Ludicrous0251@piefed.zip
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              18 hours ago

              Ooh copy pasta! I don’t have time to pick apart every point, but a few notes:

              Vanadium was previously primarily focused on security hardening but we plan on adding assorted privacy and usability features. In the near future, we plan to add support for always incognito mode, improved state partitioning, backup/restore and many other features.

              This statement dates back to at least 2022. How long do we get to wait for “assorted privacy and usability features”?

              Chromium-based browsers like Vanadium provide the strongest sandbox implementation, leagues ahead of the alternatives.

              Citation needed.

              Worst of all, Firefox does not have internal sandboxing on Android.

              A statement that also dates back to at least 2022. Factually untrue as of Release 147 in January, 2026.

              Firefox isn’t perfect, and Vanadium is absolutely more secure. I’m genuinely happy it’s the WebView implementation on my phone, and I use it in the rare event FF fails me. But for my use case and threat model, Firefox (with Vanadium WebView) blows Vanadium alone out of the water. uBlock makes every website load 10x faster, and I haven’t seen an advertisement in years.

              I would recommend Firefox on Android to everyone I know who isn’t actively being targeted by a three letter agency.

                • TrickDacy@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  5
                  ·
                  1 day ago

                  Yeah and it’s android. I know the whole spiel you want to give me, can we just not do that? You’re opting back into the Google ecosystem in the name of security, and I don’t choose that. Using Firefox is the only current option I have for avoiding using a browser controlled by Google. I’ve read the arguments about sandboxing and all and I don’t find it a compelling reason to use Google’s software when I can avoid it, particularly something as fundamental as a web browser.

        • KSP Atlas@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          1 day ago

          Honestly yeah it’s much more secure, afaik the sandboxing on Firefox and the such is horrible

    • SolacefromSilence@fedia.io
      link
      fedilink
      arrow-up
      4
      ·
      2 days ago

      I came here to joke about my Firefox browser, but I guess it’s not chromium, yay! Any particular phone browsers that you would recommend?

      • gedfromgont@piefed.ca
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 days ago

        In the least use Fennec or better Ironfox. However Ironfox is breaking some websites occasionally or can be just slow loading pages so I have both installed and use them both.

        • TrickDacy@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 day ago

          I used ironFox until recently it started randomly timing out on websites that work fine everywhere else. So I’m back to FF on Android.

          • ScoffingLizard@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 day ago

            FF took privacy out of their policy. At this point, why not just DDG. I also use SearXist, and you can randomize the engine instances used to avoid fingerprinting.

            • TrickDacy@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 day ago

              FF took privacy out of their policy

              Nope, that was just a really silly context-free git diff that people seized on as if it meant something deep. They edited one piece of documentation to have different wording. Privacy is still very much a part of their branding.

              why not just DDG.

              Because that is still using the Chrome engine and thus allowing their monopoly to thrive. The literal only thing you can do to slow/stop Google’s stronghold on the web is to use another browser, not based on Chromium.

      • TrickDacy@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 day ago

        Nothing except a lot of websites are designed to only work well (or at all) on chrome. I use Firefox 99% of the time but occasionally I have to use a shitty website like that so I switch to ungoogled chrome, or ddg browser on android.

        • Ludicrous0251@piefed.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          20 hours ago

          So far I’ve only found one website that doesn’t work when I change the user agent in FF to appear as Chrome. All the rest are just maliciously anti-firefox.

          • khannie@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 day ago

            My national broadcaster doesn’t play videos on either Firefox or Firefox focus unfortunately.

            It’s such a small market share these days they just don’t bother to check or fix it.

      • hexagonwin@lemmy.today
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        2
        ·
        2 days ago

        it’s not that great imo ever since they moved away from fennec (to fenix)

        performance wise it’s very laggy compared to chromium. and the UI is terrible… they recently made it even worse too. plus no customization at all, though that’s also lacking for other browsers