Programs that respect your privacy

Saved Instance State

Beginning with Privacy Browser 3.5, the app now saves and restores the instance state if killed in the background by the OS.

For those who might not be aware of the abomination that is memory management on Android, I would point you to the picture below, which was taken from the official Android Lifecycle documentation.

They make sure to let you know that this is a simplified representation.

Notice that nice App process killed item on the left. Turns out that Android likes to do this all the time.

Those of us who grew up using desktops have a general expectation that programs keep running until we close them. To work around this on Android, apps have the option to save their instance state and recreate it when onCreate() is run again. This creates the impression that the app has been running continuously without such actually having been the case.

Needless to say, there are a lot of possible pieces of information that would need to be saved to recreate the exact state of an app after it has been restarted. Previous to 3.5, Privacy Browser did not attempt to do this at all, but with the new Day/Night theme, it became a high priority to do so, because the app restarts whenever the theme changes.

There are three data storage methods that can be used to store this data: ViewModels, saved instance states, and persistent storage. These are described in the saving UI states documentation. The important detail for our purposes is that ViewModels only exist in RAM, saved instance states exist in RAM, but can be written to the flash storage if the OS needs to recover RAM for other purposes (the previous line has been removed from the linked documentation, which hopefully means that with current versions of Android it is no longer the case), and persistent storage always exists on the flash storage. The bookmarks and domain settings databases are examples of persistent storage used by Privacy Browser.

One of the primary design philosophies of Privacy Browser is to minimize the amount of data that is stored on the device. Specifically, just browsing to a website should not create a record of where you have been. There are far to many examples of tricky ways this information can be exfiltrated from a device to compromise a user’s privacy. As such, I really wanted to handle all data storage using ViewModels. Unfortunately, because of limitations in the type of data that ViewModels can store, Privacy Browser also has to use a saved instance state to correctly reinitialize after being restarted by the OS. (With the apparent changing of the system to no longer write the saved instance state to storage, this is no longer a problem.)

The following pieces of sensitive information are stored in the saved instance state:

  • The list of all the currently open tabs, including each URL.
  • The WebView history for each tab, including the URL of each item in the history.

Depending on what happens, this information can be written to a system area of the flash storage. I consider this to be suboptimal, but there is no way to prevent it from happening if Privacy Browser is to function well on Android. (Again, this is happily no longer a problem.)

The good news is that running Clear and Exit from the navigation menu or by tapping the X to close the last tab deletes the saved instance state. Those who have significant privacy needs can enable Incognito Mode, which wipes the WebView history every time a new website is loaded.

Last updated

3 responses to “Saved Instance State”

  1. […] Privacy Browser now saves and restores its state if it is killed in the background by the OS. This is necessary to make switching between Day and Night theme work correctly, but it also has benefits in a number of other scenarios. There are privacy implications of saving the instance state, which are discussed in dept in their own blog post. […]

  2. […] Most of the security in Privacy Browser is designed to protect against remote entities compromising your privacy. Incognito Mode is designed to protect against a different threat: a malicious actor gaining unlocked access to your physical device. For example, consider the situation of a human rights worker arrested by the police under a repressive regime. Using coercion or technical means they could unlock the person’s device. Incognito Mode assures that there is no web history stored in Privacy Browser. Those interested in Incognito Mode should also read the post about the saved instance state. […]