WebRTC IP leak

[kravietz]

DDG Android app apparently uses Chrome as underlying rendering engine and as result it's susceptible to WebRTC internal IP leaking even if behind a proxy or VPN. This can be easily tested by browsing from DDG app to ipleak.net.

[subsymbolic]

Thanks for logging this @kravietz, we'll investigate ways to fix this.

[ghost]

Or more simple, with this website:
https://ip.voidsec.com/

[aitorvs]

Internal task for visibility/reference https://app.asana.com/0/276630244458377/1134874424977657/f

[cmonfortep]

We looked into this and we hoped we could implement a permissions callback to stop this leak, but the permissions callback isn't triggered for obtaining the IP address (just for audio / video access)

Sadly, there's still no obvious way of preventing this while we continue to rely on WebView. We have no plans to migrate from webview, so we are closing this issue.

[David-dp-]

Is DDG/Android supposed to support WebRTC at all? When I try https://webrtc.github.io/samples/src/content/getusermedia/gum/ , clicking the "Open camera" button triggers a notification that an attempt by Google to track me was blocked, but I don't get a getUserMedia dialog like I do with other mobile browsers.
When I try with my own page, I find that DDG has navigator.mediaDevices.getUserMedia but it seems not to return a Promise because none of my .then, .catch, nor .finally are invoked. This defeats the usual way of letting the user know that the browser doesn't support a feature; it seems the developer might be forced into searching navigator.userAgent for DDG in order to help the user understand what's going on.