[GrapheneOS] How to set Mojeek as the default search engine in Vanadium

Vanadium is the default web browser for GrapheneOS, a secure operating system based on the Android Open Source Project (AOSP) without Google apps/services by default and which is intended to be used with verified boot to maintain its security model.

Vanadium supports custom search engines through the OpenSearch format: OpenSearch description format | MDN

Setting Mojeek as the default search engine on this browser is easy.

1. Go to mojeek.com and make a search
2. Go to Settings > Search Engine and set Mojeek as the default search engine.

Thank you for sharing this.

Would you concur @gnome with the opinions of a fair few Graphene users (and Daniel himself I believe) that Vanadium is the best choice on Graphene? I’ve seen some differing opinions when comparing in-group to out-group.

I’m a recent GrapheneOS convert, and not a security researcher, so I can’t give you particularly deep insight. And I’m not quite sure what sort of opinions you’re looking for, so I’ll give you my general impressions

Vanadium disables JIT compilation, which supposedly accounts for a large percentage of browser exploits. Blink-based browsers in general are more equipped to deal with hostile sites and scripts, with better exploit mitigations and proper site isolation. I have no doubt they’re doing a good job in securing the browser. Brave is likely ahead in anti-fingerprinting and implements content-blocking while perhaps not having the same exploit mitigations, because Vanadium has been more security-focused until now. Vanadium is also simpler than Brave, which has a lot of features (even on mobile), so this could reduce attack surface.

Regular web surfers might expect content blocking to be included in the browser, but Vanadium does not provide this. It also does not allow you to install extensions, but given that I’m coming from iOS…I’m not missing anything. Vanadium plans to eventually implement content-blocking. This marks the first time I’ve seen an advertisement on the web in months.

However, Vanadium gives you no way to turn off browsing history without going into incognito mode, which also doesn’t let you persist cookies. This is, in general, a bizarre blind spot in browsers based on the Blink engine. Even the desktop browsers don’t let you turn off history without going into incognito mode, though they at least let you only keep it for the session.

The only issue with browsing in incognito mode in Vanadium, besides lack of cookies, is the inability to create a PWA in that mode. I really don’t know why you can’t do that. You can even open PWAs in incognito mode by turning on “Open links in incognito”. Another glaring omission, though this is intentional because upstream Android Chromium doesn’t do this, is the inability to add custom search engines. Vanadium needs to pick this up from the OpenSearch metadata; you can’t just add a new URL like in Firefox. This is still far better than Safari, which doesn’t provide any way of adding search engines outside of the blessed list of Bing, Google, and Bing-by-proxy. I wish they at least gave you Wikipedia, too…

I’ve always been a big fan of Firefox. Allowing you to just turn off history without messing with cookies is great. You can also delete cookies individually, rather than “in the last hour” or “last day” or “last 7 weeks”, which is as far as most desktop Blink-based browsers will go. But I also much prefer the design of Firefox and the ability to add a dedicated search box instead of only using the omnibar like every modern browser forces you to do. The dedicated search box makes it far easier to switch between search engines, which is something I do a lot (though I also use the omnibar for search shortcuts like Wikipedia).

I’m really not much of a phone user, though, so I’m not that picky about browsers. Even when I do use my phone, I am rarely using the browser (more likely, I am doing things that can only be done on apps), so Vanadium is just fine for me. The big differences in usability come into play more in the desktop version of Firefox. One thing that does bug me on Vanadium is how the tab button is at the top, rather than directly above the 3rd Android navigation button. It would be nice to have it at the bottom. Oh, and it would be nice to have the ability to turn off web fonts…

Also, Firefox is not a great choice if you’re coming at it from a security perspective, because as mentioned, Blink-based browsers are ahead in exploit mitigations. I haven’t looked at Bromite, but Vanadium is a great choice for GrapheneOS users. I haven’t seen any reason to seek out another browser; and if I did, it certainly wouldn’t be for better security.

Edit: Oh, and based on the app description, it is intended for use mainly with GrapheneOS. You won’t get some of the security benefits if you try to use it with regular Android:

Vanadium is a privacy and security hardened variant of Chromium providing the WebView (used by other apps to render web content) and standard browser for GrapheneOS. It depends on hardening and compatibility fixes in GrapheneOS rather than reinventing the wheel inside Vanadium. For example, GrapheneOS already provides a hardened malloc implementation so there’s no need for Vanadium to replace it. Similarly it can deploy security features causing breakage on other operating systems due to the ability to fix compatibility problems in the OS.

Yeah. It’s the top recommended/suggested browser. There are a lot of things planned for future implementation.

Not to deter too much from the topic at hand but, since you’re not really much of a phone user, what is/are your browser(s) of choice for desktop?

Somewhat complicated answer.

I use Firefox Stable for desktop Linux, currently. I tried Brave for a time, but I’m far too attached to all of Firefox’s features to use a Blink-based browser regularly. I also like the development tools much more than Blink-based browsers. And at the time, the scrolling issue on Linux hadn’t been fixed.

I also tried Orion on the occasion I had to use macOS, but found it too buggy in its current state. It has some very nice development features, though, which are better than any free software browser. It’s proprietary software, though.

I use TOR browser on occasion. I’ve recently considered using Mullvad Browser as my main browser, but lack of cookie persistence, even when adding exceptions for a choice few domains, holds me back. I also require another extension, which is discouraged for anti-fingerprinting reasons, so I’d need a secondary browser. Ah, if only there were an electron version of Yomichan. Otherwise, it’s a fantastic browser with a lot of the customization work done already.

I’m aware Firefox is more vulnerable to exploitation. I disable Javascript and web fonts by default with uBlock Origin, which should hopefully reduce some of the attack surface. Most of the time, I don’t need to enable Javascript. You don’t need Javascript to search the web with Mojeek, for example (however, you do need it for the Discourse community).

I use Brave or Chromium when Firefox does not support the site (which is rare). For example, Firefox does not have WebUSB support, so I used Brave when installing GrapheneOS. I also use these browsers for testing sites when I’m doing development. Also, I tried Vivaldi once, and quickly realized I was never going to use most of these features. My desire for customization is satiated by Firefox’s userChrome feature.

Yeah, unfortunately no way around that one. There were a few tools at the intersection of what we were looking for and what we could self-host, and Discourse was the clear winner there, even with the JS.

You might not be a security researcher but the above is very detailed, thanks a lot for it. I especially agree with the coming from iOS aspect

This is my browser loadout for non-phone:

I tend to use different options for different types of browsing. Pretty much all Mojeek stuff goes through Firefox, which has a heavy bookmarks bar. Makes things quick and easy, mind.

Yeah, unfortunately no way around that one. There were a few tools at the intersection of what we were looking for and what we could self-host, and Discourse was the clear winner there, even with the JS.

Discourse certainly isn’t as bad as some sites, because you can browse it with Javascript disabled (though the lack of search makes that prospect more difficult). But Discourse is free software, and I have a high level of trust in Mojeek, so I’m unconcerned. It looks nice, and is simple to navigate. Very Javascript-reliant, though.

Certainly much better than relying on Discord to host your community

You might not be a security researcher but the above is very detailed, thanks a lot for it. I especially agree with the coming from iOS aspect

Happy you find my rambling entertaining

GrapheneOS is actually my first experience with Android. Apple seems to be about to EOL the iPhone 8 this year, so it made sense to look for a new phone (now, what to do about my Intel Mac…). The Google Pixel series gives you comparable longevity for a cheaper price, and I can’t say any part of it has been a downgrade. It’s…a weird feeling, how much easier everything is on Android. I don’t think I can go back to not having a Back button now.

I tend to use different options for different types of browsing. Pretty much all Mojeek stuff goes through Firefox, which has a heavy bookmarks bar. Makes things quick and easy, mind.

Now, if only I were so organized. I tend to just end up using Firefox because it’s the most convenient.

For bookmarks, though, I use this one-liner script independent of the browser I’m using which I can pull up with wofi or dmenu, depending on the display server I’m using: dwm/config.h at 2cfa02d9b350df0957d68037586915917978f2a7 · LukeSmithxyz/dwm · GitHub and the accompanying video: Bookmarking for Non-Dumb People - Luke's Videos

(on my Wayland system, it’s ydotool type $(grep -v '^#' ~/.local/share/snippets | wofi -x 0 -y 0 -W 100% --show dmenu -i -l 50 | cut -d' ' -f1))

I have hundreds of bookmarks in Firefox, but I got tired of clicking through menus, so this was a nice way to do things keyboard-only. You do have to remember something about what you’re looking for, though

100% on that one - so much seems to be going this way. It also creates an expectation of immediate reactivity to things, which we aspire to, but cannot guarantee.

I almost treat browsers as big tabs at the bottom of my screen. It is definitely organisation of a sort

The Pixel 6a I have currently is my first time using it as my main phone. I had used Ubuntu Touch and the Manjaro Pinephone distro more extensively before this one. The longevity aspect is something which is a massive benefit, and much like yourself I’ve now fully acclimatised to what I would consider to be a superior experience. Obviously taste factors in.

That meta-bookmarks system is very cool, maxing out on ergonomics for sure. Very unsurprising that this is attached to Luke Smith

The Pixel 6a I have currently is my first time using it as my main phone. I had used Ubuntu Touch and the Manjaro Pinephone distro more extensively before this one.

I also used Phosh and Ubuntu Touch for a while before I first touched Android. I like Phosh a lot, and Ubuntu Touch is nice.

Signal is the only thing really keeping me from using my Pinephone regularly. Signal Desktop appears to have made some good progress in its ARM build, but you need to have already registered a Signal account via the Android or iOS app using a phone number to use it that way. Axolotl, or whatever has replaced it, does not seem to be in a mature state yet. Obviously, there are some security issues that need to be addressed too. I expect to revisit this scene in 5 years.

The longevity aspect is something which is a massive benefit, and much like yourself I’ve now fully acclimatised to what I would consider to be a superior experience. Obviously taste factors in.

This is the only thing the iPhone is still better at, in my opinion. Supporting the iPhone 6S for 7 years (technically it’s still supported, as iOS 15 is still supported, so it’ll hit 8 years this year) was a landmark in phone support. The timeframes Apple supports their phones for just keeps increasing, so maybe I’ll be wrong about the iPhone 8 getting the axe this year.

I don’t see any reason for a multi-billion dollar company like Google not to support its mainline phones for more than 5 years. They’re plenty powerful, and there really isn’t that much innovation in that space anymore. 10 years seems like a reasonable timeframe to keep a modern phone for.

The only thing you need to worry about is the battery’s total capacity being reduced over time, but I intend to take good care of this phone. And in any case, it would be cheaper to replace a battery every 5 years than to buy a whole new phone.

I will say this, though. Being able to just…transfer files from my phone to my computer with aft-mtp-cli is great.