Kiwi Browser intercepts search queries through their own servers

[nyanpasu64]

[Update: see below, Kiwi Browser may or may not be spyware.]

I read the most recent FFUpdater changelog and saw that it included Kiwi Browser. Kiwi Browser looks good... It's Chrome-based (faster and less unstable than Firefox), it supports extensions... nope it's spyware.

Search engine spyware/keylogging

Summary: Kiwi Browser ships with fake search engines that masquerade as Yahoo or Bing. They actually send all searches through their own servers, allowing Kiwi's owners to track what each user is searching for.

Not only that, but they also see autocomplete queries, which tell them which URLs they type into the address bar, and what things you type but don't press Enter on. Currently, the Bing and Yahoo search engines use the upstream suggest URLs rather than sending suggestions through the redirector, but I don't know what the the default search engine (randomly named Bing or Yahoo) does.

---

If you install Kiwi Browser, open the app, and wait a few seconds before performing a search, it might go to Bing or Yahoo (randomly chosen). It's a lie.

If you turn on Airplane Mode and perform a different web search, the URL shows kiwisearchservices.com or kiwisearchservices.net, which is disturbing. Kiwi Browser tries to cover its tracks; if you open settings and look at the list of search engines, Kiwi Browser lies to you and claims the default is Bing or Yahoo. It's not, it's a search redirector/keylogger they operate for revenue.

Every time I clear data, the default search engine is randomly chosen out of fake-Bing or fake-Yahoo. The next 2 search engines in the settings are always a second fake Yahoo and a second fake Bing. All Yahoo search engines actually redirect searches through kiwisearchservices.net, and all Bing choices redirects through kiwisearchservices.com.

• Looking at Kiwi's source code, their Bing and Yahoo search entries all point to search.kiwibrowser.org, but this URL is hidden from the user, who cannot add or modify search engines.
• I wonder if this is a trademark violation, and Yahoo/Microsoft can sue.

Sidenote: More odd behavior

Turn on Airplane Mode, clear app data, go into the settings. The search engine is "Default Search", with description "send to the best search engine for the request". Weird.

• Comparing Kiwi's source code with upstream Chrome's source code, "Default Search" is just a rebranded Google Search, without spyware (yet).

Breaking adblockers on search result pages

Kiwi Browser advertises itself as one of the few Android browsers supporting extensions, like ad-blockers. But it wants to maximize its revenue stream, which adblockers would harm. So the browser deactivates ad-blocking extensions on search engines (including their own search redirectors). This subterfuge is clearly visible in Kiwi's source code.

In-browser advertising

As a bonus, the latest commit message in that file is:

Add ideas of websites to visit (explore), the goal is to make users spend more time within the browser and visit partners

In other words, shilling their "partners" in the browser.

Conclusion

I do not trust Kiwi Browser with my browsing history and website logins. And neither should the users of FFUpdater. Or anyone on the Play Store, for that matter. I await the day it gets taken down from the store.

---

I don't know what else the browser does. It's a rather outdated Chrome fork with occasional backported patches and "thousands of files changed" (according to their README). For all I know, they may be stealing cookies and passwords and bank/credit card credentials to resell.

I've archived Kiwi Browser's source code and history (as of today) at https://github.com/nyanpasu64/kiwibrowser, in case they decide to erase the evidence.

[Tobi823]

Thanks for the fast report.

hey actually send all searches through their own servers, allowing Kiwi's owners to track what each user is searching for.

I can't verify that BUT the URL is VERY suspicious. It contains as GET-Parameter:

• my real IPv4-Address (I replaced it here with 255.255.255.255)
• a unique ID
• version of Chrome
• Android OS

de.search.yahoo.com/yhs/search?hspart=dcola&hsimp=yhs-019&type=gsp_kiwi_00_00_ssg06&param1=1&param2=cat%3Dweb%26sesid%3Dfce7115c3664dc731c84b01653cfc5f8%26ip%3D255.255.255.255%26b%3DChrome%20Mobile%26bv%3D88.0.4324.152%26os%3DAndroid-8.1-Oreo%26os_ver%3D8.1%26pa%3Dgencoll20%26sid%3Dc0002c9c2b110778941070974a25f44a%26abid%3D%26abg%3D%26a%3Dgsp_kiwi_00_00_ssg06%26sdk_ver%3D%26cd%3D%26cr%3D%26uid%3D%26uref%3D&p=berlin

If you turn on Airplane Mode and perform a different web search, the URL shows kiwisearchservices.com or kiwisearchservices.net, which is disturbing.

I can verify that

[Tobi823]

I'm going to remove Kiwi as fast as possible from FFUpdater

[Tobi823]

I've removed Kiwi from FFUpdater and triggered a new release for F-Droid. But it takes some time until the new version is available on F-Droid

[Tobi823]

https://github.com/kiwibrowser/src/issues/352

[kiwibrowser]

I've answered in the Kiwi Browser thread, we get paid by search engines to set them as default search option (to help gain marketshare).
It's just the redirect to Yahoo or Microsoft Bing, that's how Microsoft knows they have to pay us for the searches we bring them.

Otherwise they wouldn't know, and they wouldn't pay us.

[Tobi823]

My response in the Kiwi Browser thread:

Thanks for your fast response and explanation.

Although i don't like it, i understand that the money for the app development has to come from somewhere (even Firefox is paid to use "Google" as the default search engine).

Maybe add a note about this behaviour to the README.md for the next curious computer science student :)

[Tobi823]

I think that Kiwi should not be managed by FFUpdater because this browser has additional usability features and no additional privacy features.

And FFUpdater is about privacy and not usability.

[Tobi823]

F-Droid users can use the Aurora-Store to download and install the Kiwi Browser.

[57382]

Malicious
https://www.virustotal.com/gui/url/d1a0b92c95e8ae1ac145feb8b6a3b2dc120c0c9ff5479703527c8ae5f763d560?nocache=1
https://www.virustotal.com/gui/url/ed337d3d487dbb1ff30b573d61bb13236b8530cf5f63b47bb6bcaa919e904ca4?nocache=1

[kiwibrowser]

@nyanpasu64 For information, at least one of the two URLs is likely to go away soon;
I've discussed with Yahoo, normally they'll be able to provide us a direct URL that we can hardcode in the APK without having to host the search services ourselves while still being able to be paid as a partner.
I still have to convince Microsoft Bing too but I think it'll work, but likely to take at least few weeks (it's not an easy process).

@57382 I'm not sure what you are trying to do ?
It's very common and normal to have a browser to provide search services.

Brave points to Brave Search by default
Cốc Cốc points to Cốc Cốc Search by default
etc.

It doesn't mean that search.brave.com is malicious for example.
Yes by default Kiwi sets "Kiwi Search" (Kiwi Search Services) as default search engine.
Obviously Kiwi Search is not launched (yet) it may eventually may redirect you to Yahoo or Bing, it's not a bug, it's normal, and in the long-term it will disappear (or just point you to Kiwi Search).

If you are a bit patient, normally I will be able to remove the domains completely but it'll take some time as discussing with Yahoo or Microsoft isn't an easy task and we still don't have our permanent partner code that we can hardcode yet.

[57382]

@nyanpasu64 For information, at least one of the two URLs is likely to go away soon; I've discussed with Yahoo, normally they'll be able to provide us a direct URL that we can hardcode in the APK without having to host the search services ourselves while still being able to be paid as a partner. I still have to convince Microsoft Bing too but I think it'll work, but likely to take at least few weeks (it's not an easy process).

@57382 I'm not sure what you are trying to do ? It's very common and normal to have a browser to provide search services.

Brave points to Brave Search by default Cốc Cốc points to Cốc Cốc Search by default etc.

It doesn't mean that search.brave.com is malicious for example. Yes by default Kiwi sets "Kiwi Search" (Kiwi Search Services) as default search engine. Obviously Kiwi Search is not launched (yet) it may eventually may redirect you to Yahoo or Bing, it's not a bug, it's normal, and in the long-term it will disappear (or just point you to Kiwi Search).

If you are a bit patient, normally I will be able to remove the domains completely but it'll take some time as discussing with Yahoo or Microsoft isn't an easy task and we still don't have our permanent partner code that we can hardcode yet.

I want to defend the right to privacy! In a world without redirects.

[cron410]

If you go to settings and set the search engine to Startpage, there's no fishy things happening. I turned on airplane mode and searched for "bolts", this is the URL Kiwi Browser tried to access:

https://www.startpage.com/rik/search?q=bolts

[pras92]

https://github.com/kiwibrowser/src/issues/352

Why was the issue deleted?

Also, I don't remember seeing this warning before in older versions but installing v101.0.4951.40, and it effectively means the user is agreeing to "Personalised ads and content, ad and content measurement, audience insights and product development".

The consolation is that, an user can manually disable this by choosing to turn off in home page settings; however the declaration in the post-installation screen seems to be at odds with the privacy policy here

[Tobi823]

Thanks for the update.

Why was the issue deleted?

The repository was deleted. The new repository for Kiwi is https://github.com/kiwibrowser/src.next. But the Internet Archive has stored it https://web.archive.org/web/20210605191305/https://github.com/kiwibrowser/src/issues/352

Also, I don't remember seeing this warning before in older versions but installing v101.0.4951.40
The developer/developers relaunched Kiwi in the last months. Maybe with the relaunch the changed the business model from only search engine to search engine + discovery feed.

The consolation is that, an user can manually disable this by choosing to turn off in home page settings; however the declaration in the post-installation screen seems to be at odds with the privacy policy here

Yes, it is a bit misleading. As far as I understand the company behind Kiwi (Geometry OU) does not sell location data but Google Ads will use them (unless the Discover feed is deactivated).

But I find it hard to condemn - the advertising market is dominated by Google and Facebook, and for a small company the advertising revenues are small.

What do you think would be best? Should I update the installation warning and add the information about Google Ads and location data?

[Tobi823]

something like this

[kiwibrowser]

It's quite fair what you say Tobias, the main improvement I could do is to unbundle the SDKs ( = remove Google & co) in the GitHub edition. I think I can deliver it in July of this year.

It's relatively easy, since the only goal of the SDK is to show AdMob, and AdMob not only in optional in the release build, but it's also deactivable (and disabled in the GitHub release).

AdMob never has been planned, but it's really tricky to even get the browser break-even.

Search is still a pain to monetize, ideally I should partner with another search engine or launch Kiwi Search but it's a huge work.
But you know even if doing so, if you use "Brave Search" for example, it's not really better, it's not more private, it's just marketing :/
The same way Kiwi could market Kiwi Search as more private, etc.

DuckDuckGo are so big that they don't really care (though Kiwi has 4M active users according to Play Store, it's still too small), and to be fair, the benefits are unclear.

I think the market is though in a way that there always has to be Google or Microsoft somewhere in the loop.
You can feel +/- the same problems with other browsers, that's why Vivaldi for example is not pure and has to have affiliate links for example, though I know that Jon and Tatsuki are some of the most ethical people I know in the place and would trust them 100%.

[Tobi823]

@kiwibrowser Thanks for the information and your hard work. It's a real pity that there is no easy and popular way to finance software projects. GitHub sponsor / liberapay etc. is too niche and for Google one is only a supplicant.