Torzon Mobile Setup - Orbot and Onion Browser
The walkthrough for the moment plain Tor will not connect on a phone. Work out what your carrier or Wi-Fi is doing, pick the matching pluggable transport, and reach the Torzon onion service from a handset - whether that is Orbot on Android or Onion Browser on iOS. Every step below is written for a touchscreen, not a desktop.
WHAT YOU WILL NEED ON THE PHONE
Gather these before starting. Most readers already have everything except the PGP app - install it once and you can verify every future bridge bundle and mirror list from the handset.
An Android or iOS Phone
Android 9+ for Orbot. iOS 15+ for Onion Browser. A spare handset is ideal but not required.
Orbot 17+ or Onion Browser 3+
Latest builds ship all pluggable transports. Install only from F-Droid, Google Play or the App Store.
QR Bridge Bundle
Our PGP-signed obfs4 set encoded as a QR, so a bridge line is never typed on a touchscreen.
OpenKeychain (Android)
For verifying bridge bundles and mirror addresses against fingerprint 4B9E 1C7A F25D 8063 A4E7 9F31 6C28 B5D4 0E71 38FA.
This Page Bookmarked
Re-visit it on the phone whenever you need a fresh bridge or a different mirror endpoint.
FROM BLOCKED PHONE TO CONNECTED - SEVEN STEPS
Each step is sized to the work it actually requires on a handset. Follow them in order; later steps assume earlier ones are done.
Probe What Your Carrier Is Doing
Diagnose firstOpen Orbot (Android) or Onion Browser (iOS) and tap Connect without a bridge first. Watch the bootstrap progress closely.
- Reaches 100% in < 30s: Your mobile network is unrestricted. Skip to step 7 and just verify the mirror.
- Stalls at 10-25%: The carrier is blocking guard relay IPs. You need a bridge with any transport.
- Bootstrap completes but .onion times out: DPI is fingerprinting Tor TLS. You need obfuscated traffic - obfs4 or meek.
- Bridge connects then drops: Active probing is identifying bridges by behaviour. snowflake (which moves) is your best option.
Orbot's log screen records the precise stall point. Open it to read the failure stage - it dictates which transport will work on your carrier.
Install the Right App for Your OS
Official stores onlyAndroid - Orbot 17+:
- Install Orbot from F-Droid (preferred) or Google Play
- Optionally install Tor Browser for Android for per-app routing later
- Grant Orbot the VPN permission on first launch so it can build the local tunnel
iOS - Onion Browser 3+:
- Install Onion Browser from the App Store
- It bundles its own Tor; no separate Orbot-style app is required on iOS
Never sideload a repackaged Orbot APK from a file-sharing site or chat group. Several have shipped hostile bridge defaults that route through attacker-controlled relays.
Import an obfs4 Bridge by QR or Paste
Default choiceobfs4 is the right starting point for most blocked carriers. It wraps Tor traffic in a randomized byte stream that defeats most DPI signatures. On a phone, QR import is the path of least pain:
- Android: open
Settings → Bridgesin Orbot, choose scan a bridge QR, and point the camera at our signed QR bundle - iOS: open
Bridge Configurationin Onion Browser and select built-in obfs4, or paste a bridge line - A bridge line looks like
obfs4 IP:PORT FINGERPRINT cert=<base64> iat-mode=0 - Tap Connect - the bootstrap should now complete in 30-90 seconds
Verify the QR bundle's PGP signature before scanning. A poisoned bridge can silently inject a malicious guard, and a phone is harder to inspect than a desktop.
Switch to Snowflake When Bridge IPs Burn
High-censorship carriersSome carriers enumerate published obfs4 bridge IPs and block them faster than the directory rotates. Snowflake routes through ephemeral WebRTC proxies hosted by volunteers - the proxy IPs change constantly, making bulk blocklists impractical.
- In Bridges, pick the built-in snowflake option (available in both Orbot and Onion Browser)
- Your traffic looks like a video call to passive observers - same WebRTC handshake on the wire
- Expect higher latency (200-400 ms) and more battery and data use, but considerable resilience against IP enumeration
Snowflake pairs particularly well with Mirror β - that endpoint's upstream relays are tuned for snowflake's jitter profile.
meek-azure for CDN-Only Wi-Fi
Campus / hotel firewalls
Some Wi-Fi networks - campus, hotel, corporate guest - only allow outbound HTTPS to a small set of well-known CDN domains. meek-azure tunnels Tor inside an HTTPS connection to *.azureedge.net, which the firewall sees as innocuous Microsoft traffic.
- Android: pick the built-in meek-azure bridge in Orbot
- iOS: meek-azure exists in Onion Browser but is constrained by Apple networking limits - try obfs4 or snowflake first
- Expect the highest latency of the three transports (250-500 ms) and the heaviest data and battery cost
meek depends on a CDN provider's continued tolerance of domain fronting. If one Azure region begins rejecting it, switch back to obfs4 or snowflake until upstream is restored.
Choose Whole-Phone or Per-App Routing
Save data and batteryOrbot can route every app or just the ones you select. The choice has a real effect on battery and cellular data, which matters on a prepaid plan.
- VPN mode routes the whole phone through Tor - simplest, but the heaviest on battery and data
- Per-app mode routes only chosen apps, usually just Tor Browser for Android - much lighter and avoids breaking apps that dislike Tor
- On iOS, Onion Browser only routes its own tabs; other apps are unaffected
- Prefer obfs4 in per-app mode on a low-data plan; reserve snowflake and meek for when nothing else connects
The measured per-transport data and battery profile is published on the features page.
Verify the Mirror With Mobile PGP
Do this every sessionBefore you open any mirror address, confirm it came from us. You can do the whole thing on the phone - no desktop required.
- Android: install OpenKeychain, import our public key, and verify the detached signature on the mirror manifest
- iOS: follow the documented workflow on the Mobile Security page using a files-based PGP app
- Confirm the fingerprint reads
4B9E 1C7A F25D 8063 A4E7 9F31 6C28 B5D4 0E71 38FAexactly - Confirm each onion address is exactly 56 base32 characters before
.onion
Treat the phone's keychain and cloud backups as the highest-value target. A handset backup synced to a cloud account is a known attack surface - review what your phone backs up before relying on it for anything sensitive.
QUICK MOBILE SETUP VS HARDENED HANDSET
Two configurations sized for different threat models. Pick the one that matches what your carrier or Wi-Fi is actually doing.
PRE-SESSION MOBILE CHECKLIST
Run through every item before each session - carriers adapt, and last week's working transport may need switching today.
App Up to Date
Bridge handshakes change between releases. Older Orbot and Onion Browser builds get easier to fingerprint.
Transport Matched to the Block
obfs4 for ordinary DPI, snowflake when bridge IPs burn, meek-azure for CDN-only Wi-Fi. Re-check each session.
Bridge Bundle Verified
If you import a bridge by QR or paste, validate the PGP signature against fingerprint 4B9E 1C7A F25D 8063 A4E7 9F31 6C28 B5D4 0E71 38FA.
Mirror Selected by Latency
Use the reachability monitor to pick α, β or γ based on which responds fastest from your transport.
Data and Battery Budget Checked
On a prepaid plan, prefer obfs4 in per-app mode. Snowflake's idle WebRTC drain is real over a long session.
Fallback Transport Pre-tested
If your primary transport burns mid-session, having a second one already configured saves minutes of panic on the phone.
CIRCUIT UP, PHONE CONNECTED.
Once your bridge is imported and your transport tested, what lies behind any of the three mirror endpoints is identical. From bootstrap to a working onion circuit takes around 25 minutes the first time on a phone, far less every session after.