jcs.org
iOS web browser with a focus on security and privacy
1### Endless
2
3An open-source MobileSafari-like web browser for iOS ([wrapping around
4UIWebView](#infrequently-asked-questions)) with a design goal of increased security and privacy.
5
6While this software is open source and you are free to modify it and use
7it on your own devices, redistribution of this software in binary
8form, with or without modification, is not permitted.
9Please see the [LICENSE](https://github.com/jcs/endless/blob/master/LICENSE)
10for redistribution terms.
11
12#### Screenshots
13
14 
15
16#### Basic browser functionality implemented:
17
18- Basics of entering URLs, following redirections, back, forward, cookie
19 storage, HTTP basic authentication
20
21- Multiple tabs with support for `window.open()` and `<a target="_blank">`
22 automatically opening new tab windows, but blocks calls not made via user
23 interaction events (similar to most desktop browser popup blockers)
24
25- Bookmark list with management, re-ordering, and editing
26
27- Custom long-press menu for links to open in a new tab, and to save images
28 to the device; shows image or link alt text (useful for sites like
29 [xkcd](http://xkcd.com/))
30
31- Swipe left and right to go back and forward
32
33- Long-press on back button to show history and quickly go back more than one
34 page
35
36- Search from URL bar with DDG, Google, or Startpage, including optional
37 auto-complete of search queries
38
39- Optional dark/night-time interface
40
41- Full hardware keyboard support for websites that support keyboard shortcuts,
42 as well as global shortcuts for common functions like Command+T for new tab,
43 Command+W to close, Command+L to focus URL field, etc.
44
45##### Security and privacy-focused features implemented:
46
47- Per-host/domain security and privacy settings:
48
49 - Disables SSL 2 and SSL 3 by default with a configurable minimum TLS
50 version to require from the host, such as TLS 1.2-only. Also disables
51 weak TLS ciphers.
52
53 - Configurable security policy:
54
55 - Open (default, normal browsing mode)
56
57 - No after-load connections (blocks XMLHTTPRequest/AJAX requests,
58 WebSockets, and \<video\> and \<audio\> elements)
59
60 - Strict (blocks all of the above plus embedded fonts and Javascript)
61
62 - Blocks mixed-content requests (http elements on an https page) unless
63 disabled (useful for RSS readers), shows broken padlock
64
65 - Blocks pages loaded from non-local networks (i.e., the internet) from
66 trying to load sub-requests (e.g., images, iframes, ajax) from hosts that
67 are on local IPv4 and IPv6 networks such as routers and other insecure
68 devices
69
70 - Defaults to only accepting cookies and local storage for the duration of
71 the session (until the last tab accessing that data closes) but allows
72 persistent storage from configured hosts
73
74 - Blocks WebRTC by default
75
76- Auto-destroys non-whitelisted cookies and local storage (even within the same
77 tab) that has not been accessed by any other tab within a configurable amount
78 of time (defaults to 30 minutes) to improve privacy while browsing within a
79 long-running tab
80
81- Cookie and localStorage database listing and deletion per-host
82
83- Integrated full [HTTPS Everywhere](https://www.eff.org/HTTPS-EVERYWHERE)
84 ruleset to do on-the-fly URL rewriting to force requests over SSL where
85 supported, including setting the secure bit on received cookies and
86 auto-detection of redirection loops
87
88- HTTP Strict Transport Security (RFC6797) implementation (in addition to
89 WebKit's mystery built-in one) with Chromium's large preload list
90
91- Integrated URL blocker with a small included ruleset of behavior-tracking
92 advertising, analytics, and social networking widgets (this list is intended
93 for enhancing privacy and not to be an AdBlock-style comprehensive ad-blocking
94 list)
95
96- Shows locked padlock for fully SSL-encrypted URLs, and a green padlock for
97 sites with EV SSL certs
98
99- Integrated SSL certificate viewer by tapping on padlock icon, highlighting
100 weak SSL certificate signature algorithms and showing per-connection
101 negotiated TLS/SSL protocol version and cipher information
102
103- Optional sending of Do-Not-Track header on all requests
104
105- Disables 3rd party keyboards by default with option to enable
106
107- Integrated [password manager button](https://github.com/AgileBits/onepassword-app-extension)
108 to autofill website logins, passwords, credit card numbers, etc.; requires
109 the 1Password or Bitwarden iOS app to be installed (and is not enabled if not installed)
110
111#### Infrequently Asked Questions
112
1131. Why does this software still use UIWebView instead of the newer WKWebView?
114
115WKWebView was introduced in iOS 8 to replace UIWebView and it brought about a bunch of
116new features that are useful when creating a web browser (Firefox and Chrome for iOS
117both use WKWebView) such as page loading progress callbacks and a newer, faster
118Javascript engine. Unfortunately Apple [removed the ability](https://github.com/brave/browser-ios/issues/96)
119to use a custom NSURLProtocol class, which can intercept each request and response
120between the browser engine and the web server.
121
122This is a critical component to Endless and is how it does things like change TLS
123ciphers, block tracking scripts, and do restrictive CSP header manipulation.