[Update: see below, Kiwi Browser may or may not be spyware.]
I read the most recent FFUpdater changelog and saw that it included Kiwi Browser. Kiwi Browser looks good... It's Chrome-based (faster and less unstable than Firefox), it supports extensions... nope it's spyware.
Search engine spyware/keylogging
Summary: Kiwi Browser ships with fake search engines that masquerade as Yahoo or Bing. They actually send all searches through their own servers, allowing Kiwi's owners to track what each user is searching for.
Not only that, but they also see autocomplete queries, which tell them which URLs they type into the address bar, and what things you type but don't press Enter on. Currently, the Bing and Yahoo search engines use the upstream suggest URLs rather than sending suggestions through the redirector, but I don't know what the the default search engine (randomly named Bing or Yahoo) does.
If you install Kiwi Browser, open the app, and wait a few seconds before performing a search, it might go to Bing or Yahoo (randomly chosen). It's a lie.
If you turn on Airplane Mode and perform a different web search, the URL shows kiwisearchservices.com or kiwisearchservices.net, which is disturbing. Kiwi Browser tries to cover its tracks; if you open settings and look at the list of search engines, Kiwi Browser lies to you and claims the default is Bing or Yahoo. It's not, it's a search redirector/keylogger they operate for revenue.
Every time I clear data, the default search engine is randomly chosen out of fake-Bing or fake-Yahoo. The next 2 search engines in the settings are always a second fake Yahoo and a second fake Bing. All Yahoo search engines actually redirect searches through kiwisearchservices.net, and all Bing choices redirects through kiwisearchservices.com.
- Looking at Kiwi's source code, their Bing and Yahoo search entries all point to search.kiwibrowser.org, but this URL is hidden from the user, who cannot add or modify search engines.
- I wonder if this is a trademark violation, and Yahoo/Microsoft can sue.
Sidenote: More odd behavior
Turn on Airplane Mode, clear app data, go into the settings. The search engine is "Default Search", with description "send to the best search engine for the request". Weird.
Breaking adblockers on search result pages
Kiwi Browser advertises itself as one of the few Android browsers supporting extensions, like ad-blockers. But it wants to maximize its revenue stream, which adblockers would harm. So the browser deactivates ad-blocking extensions on search engines (including their own search redirectors). This subterfuge is clearly visible in Kiwi's source code.
In-browser advertising
As a bonus, the latest commit message in that file is:
Add ideas of websites to visit (explore), the goal is to make users spend more time within the browser and visit partners
In other words, shilling their "partners" in the browser.
Conclusion
I do not trust Kiwi Browser with my browsing history and website logins. And neither should the users of FFUpdater. Or anyone on the Play Store, for that matter. I await the day it gets taken down from the store.
I don't know what else the browser does. It's a rather outdated Chrome fork with occasional backported patches and "thousands of files changed" (according to their README). For all I know, they may be stealing cookies and passwords and bank/credit card credentials to resell.
I've archived Kiwi Browser's source code and history (as of today) at https://github.com/nyanpasu64/kiwibrowser, in case they decide to erase the evidence.
[Update: see below, Kiwi Browser may or may not be spyware.]
I read the most recent FFUpdater changelog and saw that it included Kiwi Browser. Kiwi Browser looks good... It's Chrome-based (faster and less unstable than Firefox), it supports extensions... nope it's spyware.
Search engine spyware/keylogging
Summary: Kiwi Browser ships with fake search engines that masquerade as Yahoo or Bing. They actually send all searches through their own servers, allowing Kiwi's owners to track what each user is searching for.
Not only that, but they also see autocomplete queries, which tell them which URLs they type into the address bar, and what things you type but don't press Enter on.Currently, the Bing and Yahoo search engines use the upstream suggest URLs rather than sending suggestions through the redirector, but I don't know what the the default search engine (randomly named Bing or Yahoo) does.If you install Kiwi Browser, open the app, and wait a few seconds before performing a search, it might go to Bing or Yahoo (randomly chosen). It's a lie.
If you turn on Airplane Mode and perform a different web search, the URL shows kiwisearchservices.com or kiwisearchservices.net, which is disturbing. Kiwi Browser tries to cover its tracks; if you open settings and look at the list of search engines, Kiwi Browser lies to you and claims the default is Bing or Yahoo. It's not, it's a search redirector/keylogger they operate for revenue.
Every time I clear data, the default search engine is randomly chosen out of fake-Bing or fake-Yahoo. The next 2 search engines in the settings are always a second fake Yahoo and a second fake Bing. All Yahoo search engines actually redirect searches through kiwisearchservices.net, and all Bing choices redirects through kiwisearchservices.com.
Sidenote: More odd behavior
Turn on Airplane Mode, clear app data, go into the settings. The search engine is "Default Search", with description "send to the best search engine for the request". Weird.
Breaking adblockers on search result pages
Kiwi Browser advertises itself as one of the few Android browsers supporting extensions, like ad-blockers. But it wants to maximize its revenue stream, which adblockers would harm. So the browser deactivates ad-blocking extensions on search engines (including their own search redirectors). This subterfuge is clearly visible in Kiwi's source code.
In-browser advertising
As a bonus, the latest commit message in that file is:
In other words, shilling their "partners" in the browser.
Conclusion
I do not trust Kiwi Browser with my browsing history and website logins. And neither should the users of FFUpdater. Or anyone on the Play Store, for that matter. I await the day it gets taken down from the store.
I don't know what else the browser does. It's a rather outdated Chrome fork with occasional backported patches and "thousands of files changed" (according to their README). For all I know, they may be stealing cookies and passwords and bank/credit card credentials to resell.
I've archived Kiwi Browser's source code and history (as of today) at https://github.com/nyanpasu64/kiwibrowser, in case they decide to erase the evidence.