Can background apps use the same exit node?

[gamer191]

Given Onion Browser now uses Orbot, is there a risk that Onion Browser traffic will share the same exit node as background apps? Could that be used to track down specific users?

Also, is there a list of caveats, or did Orbot fix all of them?

[tladesignz]

In principle, the Tor client creates different circuits (1 circuit is an entry node, a middle node and an exit node) for every request.

With limitations:

• Depending on the exact circumstances (mostly, how much of the Tor network your client knows, how much of these nodes you can actually reach and what artificial limitations you set by configuration - e.g. forcing certain exit countries), requests to destinations are distributed across the available circuits.

• Requests to the same destination typically stay on the same circuit or at least on circuits with the same exit node to not destroy any sessions which are bound to IP addresses on the server side.

• After a certain amount of time (AFAIK in the hours), the Tor client tries to exchange old circuits with new ones.

=> Even when browsing with Onion Browser, you will always use multiple exit nodes for different websites, as long as you didn't manage to limit the Tor client to only one left to use.

=> Since Orbot tunnels all device traffic, the Tor client in Orbot cannot see the difference in origin of the requests it receives. It will treat all requests alike.

In terms of caveats, the same apply as for standard Tor operation on desktop computers.

For the question of how much more traffic is going through Tor when using Orbot compared to using the Tor within Onion Browser:

Compared to tunneling all traffic on desktop computers, it's a lot less: iOS manages lifecycles of apps pretty sharply, so there's not a lot of stuff which is actually allowed to happen in the background.
It's mostly Apple-related traffic: iCloud syncing, push notification syncing.

The rest is typically pretty obvious to the user: background audio streaming, tracking and sharing your location (e.g. with WhatsApp).

Some apps use background data uploads/downloads. Either when you triggered them explicitly in the app, they might finish in the background. (But that probably breaks and stops, when you interrupt it with an Orbot start).
Some apps do timer-induced background syncing. (That's probably the most obscure thing you won't think about.

Note: Some iOS system traffic bypasses any VPNs (e.g. captive portal detection for hotel WIFis). That's a design decision made by Apple, we cannot mitigate against.

For the question of tracking you down:

It depends on the attacker profile: If you have a government actor, who is specifically after you personally, almost nothing can help you. Stop doing anything which might incriminate you or move out of that government's reach.

Is the attacker the exit node itself? In that case, almost all HTTP traffic is TLS encrypted nowadays. So they'll not going to learn a lot about your traffic, regardless if it's from multiple apps. They don't even know, where it's from. It comes from another Tor node.

Is the attacker 10% or the nodes? Still highly unlikely that they learn anything. The chance of deanonymizing you is pretty small.

Is the attacker 75% of all the nodes? Well, then the chance of traffic correlation is pretty high and the attacker can deanonymize you. However, even though anybody can contribute resources to the Tor network, the Tor Project manages the network to some degree. They are continuously excluding fishy actors from providing nodes. To this day, nobody managed to take over the Tor network to deanonymize users. Not even the most well funded government agencies.

Does it now make a difference if your background apps send some more traffic over the Tor network when using Orbot, then when using Onion Browser with the built-in Tor? No, I don't think so.