Get the top HN stories in your inbox every day.
commoner
undefined
paulryanrogers
FWIW you can install outside AMO. They must just be signed and reviewed by AMO first. Having done it I wouldn't say it isn't onerous.
commoner
How would you install outside AMO on Android? When I click on a link to any .xpi file (signed or not), or navigate to its URL, Firefox just prompts me to download the file with no option to install the add-on. Unlike v68 and earlier, the current version of Firefox for Android (any channel) doesn't offer an action to open the .xpi in Firefox when I open it from my file manager. It doesn't seem to matter whether I have "xpinstall.signatures.enabled" disabled or not.
The other part of the issue is that I don't think I should have to ask Mozilla for permission to use a private add-on in Firefox on my own device, or show Mozilla the source code to the add-on before I can install it. What I do in a web browser on my device is not really Mozilla's business. Mozilla lists privacy as Principle 4 in its manifesto, so I think they should be able to understand this reasoning:
> Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.
paulryanrogers
Sad to hear it may have changed. I used to host my XPI and use a content type header to get it installed from my website.
_abox
Still that would leave one of my favourite add-ons out :( (the bypass paywalls one). Mozilla has refused it in their store. Would love to have that one on mobile.
commoner
You're in luck, since a more frequently updated fork called Bypass Paywalls Clean is available at addons.mozilla.org:
- Add-on: https://addons.mozilla.org/en-US/firefox/addon/bypass-paywal...
- Source: https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clea...
It's included in Iceraven's default add-on collection.
asimops
If you are rooted, you can also force your own add-ons into stable firefox like so:
USER=16201230
COLLECTION=What-I-want-on-Fenix
cd /data/data/org.mozilla.mozilla.firefox/files
curl -o mozilla_components_addon_collection_*.json "https://addons.mozilla.org/api/v4/accounts/account/$USER/collections/$COLLECTION/addons/?page_size=50&sort=-added"
touch -a -m -t 203012300130.00 mozilla_components_addon_collection_*.json
nathan_phoenix
Tested just now and can confirm that it works. You don't even need root if you are using lineageOS, just enable the root debug shell in android settings.
Thank you!
undefined
tadfisher
You can do this without root in Firefox Nightly, just tap the logo seven times in the About screen.
speedgoose
Wait, the sacrifice of the virgin goat was unnecessary?
undefined
toastal
Fennec exists and its already on the F-Droid. Goals are different but probably close enough.
The biggest thing I miss is full add-on support. Not having CleanURLs and an AMP redirector suck despite add-ons existing for desktop that don't really need a mobile UI.
mod50ack
I use Fennec and both those extensions.
https://blog.dbmiller.org/2021-08-19-using-fennec-or-mull-fo...
Fennec is also great because it doesn't include Mozilla's sponsored stuff as well.
ARandomerDude
What are HN's thoughts about the security of F-Droid? I always see neat app ideas like the one in the parent comment, but I've been afraid of what I don't know security wise.
dvdkon
Everything being built centrally and transparently by an established group puts it leagues ahead of any other app store in my mind. Installing other people's software will always be a potential security problem, but that is unavoidable now.
dTal
As trustworthy as any Linux distro repository. Which is to say, everything built from public sources, and much of it patched and audited. I'm very grateful for F-Droid.
causality0
It's a poor idea to blindly assume anything you're capable of installing must be fine. That's been true for thirty years, whether you're talking about F-Droid, the Play Store, or Windows 98 and a downloaded executable. I had no problem taking a few minutes to think about what I was doing back then and I still don't.
NotPractical
One of the important Android security features is the signature enforcement model. All Android apps must be signed, and the OS will refuse to install updates to an app if the signature doesn't match the currently installed version. [1] On the Play Store, apps are signed by each individual developer. Consequently, as long as the APK file distributed by the Play Store was not compromised at the time of initial install, this security feature guarantees that any updates distributed through the Play Store are coming directly from the app developer and have not been modified by Google or any other party. (Play Store, Play Services and the other system-level Google apps have a wide array of scary permissions, so you should assume it's still possible through some convoluted "backdoor" method. That's a separate discussion, though.) You can also check the signature of any app on your phone manually using a tool like Checkey [2], or by extracting the APK file and using apksigner from the Android SDK.
F-Droid sort of breaks the signature enforcement model because apps on F-Droid are signed by the F-Droid server, rather than the individual app developers.
If you trust the app developer (as you should, especially with proprietary software, but also with complex/harder-to-audit open source software like web browsers), the "developers sign their own apps" model is probably ideal. Android's strict sandbox and permission model reduces the amount of trust you need to place in individual developers anyway.
On the other hand, if you trust F-Droid, you can be reasonably confident that the APK file you receive from F-Droid corresponds to the source tarball from F-Droid, and you can inspect the source to verify that the APK doesn't contain malware. Additionally, the F-Droid team manually reviews the source code for each app before approving it. But keep in mind that if F-Droid were compromised, it would be easy to sneak malware into any app on the store.
Overall, I would trust F-Droid for most purposes and think it's probably a better place to install apps than the Play Store. I still prefer APK files signed directly by the original developer for critical apps like Signal. In fact, one of the reasons Signal isn't on F-Droid is because the developer doesn't believe it provides enough security. [3] You can download the Signal APK from their website rather than from the Play Store, and it even has an auto-updater built in.
[1] https://source.android.com/security/apksigning
[2] https://guardianproject.info/apps/info.guardianproject.check...
[3] https://github.com/signalapp/Signal-Android/issues/281#issue...
NotPractical
Indeed. I wonder why Mozilla insists on making it as difficult as possible to sideload extensions on Firefox for Android. I understand compatibility concerns, but surely requiring the user to enable a hidden menu option and click through a warning screen is adequate?
asimops
For half of what CleanURLs does, you can use uBlock Origin. It has a filterlist that removes tracking parameters, etc. It will not however clean links on copy.
gruez
>It has a filterlist that removes tracking parameters, etc.
Which filter list is this? I didn't realize ublock has link rewriting functionality.
asimops
It's AdGuard URL Tracking Protection under privacy. This uses https://github.com/uBlockOrigin/uBlock-issues/issues/1356
worble
If you're on Fennec you can already use a custom addon collection where you can add anything you want.
brnt
I use Fennec but have no idea what a 'custom addon collection' is. I'd like to install one particular addon thats currently not available.
input_sh
The way supported add-ons work right now is that there's a list (AKA a collection) of supported add-ons maintained by Mozilla that you see on a phone by default.
You can create a custom collection on a desktop and then override that Mozilla's collection within mobile Firefox's settings: https://blog.mozilla.org/addons/2020/09/29/expanded-extensio...
You can install any add-on available on the desktop like that, but your mileage may vary of course.
donio
Yep, I use this to get vimium-FF on Fennec. It's a little fiddly to setup but it's just another item on the long list of tweaks to make Android tolerable.
jsmith99
If you just want extension support without a whitelist, Firefox Nightly for Android lets you supply a custom list of extensions (called an AMO) which you can add any extension to.
https://blog.mozilla.org/addons/2020/09/29/expanded-extensio...
gkoberger
Small nitpick, but AMO is just our internal acronym for addons.mozilla.org, which is where all the extensions come from!
jaynetics
Yeah, just do these 5 steps in FF, then register at that website, and do a bunch of steps there for every single extension you want to install.
Or rather, if you just want extension support, don't use FF. (I for one am very happy with Kiwi. OP fork also sounds nice.)
jsmith99
It's a bit inconvenient but you only need to do it once. I like Kiwi as well and it seems to get frequent updates now, at least as github releases (play store version is updated less often).
brnt
No, I'll forever need to register my Firefoxes on mobile, and fight any 'inadvertent' changes that store personal data in the future.
I prefer my software stateless, having me register accounts adds work and seems to me to be at best a silly workaround.
asimops
The question is, why I would want to install a nightly just for add-ons? To my knowledge you f.e. need an add-on to block a specific cookie, because FF Android doesn't have this option... The question is when/if the product manager at Mozilla will realize the state of the browser at some point :/ I can just say that as far as I am concerned, the only thing that is keeping me with FF Android is the vendor lock-in with FF Sync.
mod50ack
Yeah, this is dumb as hell. Thankfully, Fennec F-Droid enables it for stable builds.
m4rtink
Thats a lot of fragile manual steps, not to mention needing a user account and being dependent on Mozilla infra. Hardly straightforward + not to mention addons on Android Firefox overall still barely working in the new Android version, with no visible progress to fix that.
brnt
So now I need to create accounts and lists, where I really just wanted one particular add-on. Its a workaround at best.
joecool1029
You can also use Iceraven's custom extension collection on firefox nightly.
userid: 16201230
name: What-I-want-on-Fenix
JeremyNT
I loved this idea, but it doesn't seem to work for me. I can browse a long list of extensions at this collection on the web [0], but FF Nightly only shows a small subset of them.
Is this a pagination issue or something?
[0] https://addons.mozilla.org/en-US/firefox/collections/1620123...
colordrops
I've gone the opposite direction and installed Firefox Focus.
I found myself accumulating 100s of tabs that I would supposedly get back to, and it was causing anxiety. Firefox focus is ephemeral and your tabs will disappear. It doesn't permanently store cookies. It has a built in ad blocker. It's perfect to keep me "focused" on the task at hand.
donio
Firefox on Android has an option to auto-close tabs after a while, I have that set to "close after a day" to keep things tidy.
lelandfe
For Safari iOS: Settings > Safari > Close Tabs > After One Day/Week/Month
user_7832
The repeated "accept cookies" pop ups are what make me switch back every time I use FF though. Is there any fix for it?
dendrite9
I use incognito for most browsing, every so often I lose my tabs. And it is ok. If I care, and remember the site, I'll open it normally and make a bookmark. If not it isn't the end of the world.
I keep about 20 tabs open in normal browsing for easy reference. Incognito for most browsing. And Firefox Focus for even more ephemeral stuff, copied links I don't want to touch my other browsing, and screenshots. It sounds a little crazy to write it out, but it works for me.
jillesvangurp
Tabs, collections, bookmarks, and top sites UX is really messed up on Firefox Mobile.
There's this home screen that is central in the UX that lists top sites and collections and that is the primary way to open things you frequently access. If you have zero tabs or open firefox mobile, that's the screen you see first.
However, I stopped using collections because they somehow got it in their heads that the user wants to add a specific, cached version in time of a website. So I add HN to a collection and then access it and I get a 3 month old version of HN because that's when I added it. That probably makes as much sense to me as it does to you. You can reload the page as "fix". Collections are not bookmark folders. They are not synced as part of your bookmarks. They are not accessible on desktop. They are mobile only. They are completely useless as far as I'm concerned. If you make the mistake of using them, get used to stale content or obsessively refresh every tab manually right after you open it. Seriously WTF?!
Because they have that broken/half assed collection concept in the UX, bookmarks are not very prominent and accessing them is unnecessarily hard. Bookmarks are actually synced and you can access your desktop bookmarks that way. But you have to dive deep into a menu to access them and adding new bookmarks is basically not supported: you can't "star" them like you would on the desktop version. There is no option to add a bookmark for the website you are looking at that is obvious to me other than actually going to the bookmark manager and creating a bookmark by manually copy/pasting the url from the url bar.
As an alternative you can add websites to "top sites", which are not bookmarks (why?!), which is not part of a collection, and which are also not synced. But at least they show you the current version of a web site. Conceptually it's kind of exactly the same as the bookmark toolbar in the desktop version. If you click a top site, it opens a new tab. Always. This is annoying.
I still use it because I like having a working ad blocker and at least some basic protection against google tracking everything I do. But the UX is not a selling point right now. I've used a lot of browsers and mobile browsers over the years and this is probably the worst one in terms of bookmarks, which is a basic feature that even Mosaic had back in the day.
Simple obvious fix: Deprecate collections and replace them with bookmark folders. Implement starring/bookmarking (how is that not a thing?). Make top sites just another bookmark folder (just like the desktop bookmark toolbar). Make collections sub folders of those. It all syncs. It all works.
That also opens the door to supporting firefox containers, which I love and use all the time on desktop. I'd love to have full access to that on mobile.
legacynl
> but you have to dive deep into a menu to access them and adding new bookmarks is basically not supported: you can't "star" them like you would on the desktop version.
Are you sure you're on the latest version? I'm on the latest version, and when I press the 3 dots next to the URL bar, I can 'star' it (create a bookmark) from there, bookmarks are shown on the firefox-'homescreen'
_rdvw
I maintain the Mull fork and also help maintain Fennec F-Droid. (Currently compiling 96.1.0 as I type this).
Both are fully compiled from source and available on F-Droid.
I personally cannot recommend Iceraven as it is consistently behind updates, something you don't want for a browser.
undefined
nick__m
About a year ago, I used to use Iceraven but I switched back to FF nightly when support for custom addons list was added back.
Even though I like the project, I consider that it's what FF for Android should have been, I returned to FF because nowadays a browser needs frequent security updates and Iceraven is not staffed to have frequent releases.
LanternLight83
It's a shame that this is the case for 99% of alternative browsers and forks. Sometimes I think the only solution would be to embrace something like Gopher, where hostile sites aren't feasible and browsers are free to diversify without constant maintenance.
causality0
If I can have a genuine user agent switcher I'll throw you a damn parade.
bordercontrol
That's possible. Install Firefox Nightly, create a custom addon collection on the Firefox addon site, add an user agent switcher to the collection, add the collection to Firefox Nightly. You now owe me a parade.
jeroenhd
There are two addons in the fork's whitelist that allow you to change the UA.
xanaxagoras
Does "more add-ons" mean it's still a whitelist? I'm trying to find a mobile browser I can use floccus with. So far I've only been able to find Kiwi which is not privacy oriented.
mmwelt
Iceraven also has an option to prevent frequent tab reloading[1], a problem that many users of Firefox have on Android[2].
[1] https://github.com/fork-maintainers/iceraven-browser/issues/...
igorstellar
Perhaps offtop, Is there at least 1 browser for Android that supports per-page zoom? Safari does it on iOS with a super simple setting, but the only way to increase font size in ANY of Android browsers is to increase scale in Accessibility which will break some websites with larger fonts. I feel like this is super basic feature that I can't find.
Get the top HN stories in your inbox every day.
Since Mozilla isn't willing to allow more than 18 pre-selected add-ons on the release and beta channels of Firefox for Android, forks like Iceraven fulfill an unmet need for users who want access to more add-ons, but don't want the occasional instability of the nightly channel.
One thing that is still missing from Iceraven, Mull, etc. is the ability to sideload add-ons that are not published on addons.mozilla.org. Currently, anyone who wants to use a private Firefox add-on that is not suitable to be published on AMO must install v68 of Firefox or v68 of a fork like Fennec F-Droid.
Edit: In one of the Iceraven issues on GitHub (https://github.com/fork-maintainers/iceraven-browser/issues/...), someone recommended a Firefox for Android fork called SmartCookieWeb-Preview for sideloading .xpi add-on files into Firefox from arbitrary URLs: https://github.com/CookieJarApps/SmartCookieWeb-Preview/. The preview app is not available on F-Droid yet, but I'm going to try it out.
Edit 2: It worked in SmartCookieWeb-Preview. I had to go into about:config and set "xpinstall.signatures.required" to "false" before sideloading the add-on in the settings (Advanced settings > Sideload XPI). I hope this app makes it into F-Droid soon.