Review: Is the Avast Security Browser Any Good?
Avast's "Secure browser" has been around for a while now.
Once a bundled feature with the premium version of its famous antivirus, Avast's Secure Browser is now a (free) standalone product.
Of course, the question of just how "secure" and "private" this browser truly is remains to be seen.
Let's see if we can call this browser "secure" and/or "private."
This is the Avast Secure Browser at a glance...
- Bank Mode (Virtual Machine/Sandbox)
- Settings are easy to navigate
- Avast is in hot water, accused of selling the browsing and click histories of millions of users
- Another Chromium based browser (this may be a negative for some people)
- Tracker blocking is very questionable
- Many prompts to use/connect to other Avast! products; this could be indication of a lot of proprietary code that points back to Avast! servers
- Sketchy claims/false promises
What is the Avast browser?
First, let's start with "What is Avast?"
Avast is a massive multinational cybersecurity software company founded in 1988. They're officially based out of the Czech Republic, and have been through a number of acquisitions, restructurings, and brandings since.
Avast has super well-known subsidary companies as well. These subsidaries include AVG, Piriform, and HideMyAss!
But, if you know anything about Avast, you probably know that its famous for its antivirus software. In fact, the free version of its antivirus is one of the internet's most popular antivirus programs.
However, Avast makes other software - both free and paid. Enter Avast's Secure Browser.
The Avast Secure Browser was initially only available for those who opted for the paid version of its antivirus. Then in early 2016, Avast began bundling its free antivirus with the secure browser.
Nowadays, you can just visit Avast's website and download the browser direct from there for free.
Avast claims its browser allows you to browse the web up to 4x faster, while maintaining security and privacy.
Be aware that Avast came under intense scrutiny in January 2020 after it was accused of selling upwards of 100 million users' search and click-through information to 3rd parties.
Avast claims the data sold was anonymized, but some reports claim otherwise. At of the time of this review, investigation is still "ongoing."
The Avast Secure Browser is available on all major device platforms (excluding Linux, apparently): Windows, Mac, iOS, and Android.
Additionally, depending on your region, you may not have access to download the browser. (This is more of a concern on mobile environements, specifically iOS.)
These are the minimum system requirements for running this browser on different operating systems.
Windows: Windows 10 (excluding Mobile and IoT Core Edition; Windows 8/8.1 (excluding Starter edition); Windows 7 SP1 or higher.
Mac: Intel-based Mac w/ 64-bit processor and Mac OS X 10.10 (Yosemite) or macOS 10.12 (Sierra) or higher.
iOS: iOS 13 or higher
Android: Android 5.0 (Lollipop) or higher.
Windows: Its installed size is a whopping 330MB.
Mac: Similar to Windows at 330MB.
iOS: According to the App Store, its size is a little over 55MB.
Android: According to the Play Store, the size varies between Android devices. However, it shouldn't be too different from the likes of the iOS size.
First launch and set up
Once the Avast Secure Browser finished installing and launched for the first time, my first thought was that it looks just like Google Chrome.
Granted, the browser is based off Chromium, but unlike some other Chromium-based browsers (like Brave), Avast keeps a very... Chrome-y appearance:
I also noticed that there was no set up prior to getting started with Avast's browser. It was a little off-putting, but it could be because
- I'm on a Windows desktop (many desktop browser first-launches don't hold your hand as much as mobile browser tend to do).
- Since it resembles Chromium and Google Chrome so much, perhaps the developers assumed that most users will already feel "at home" when launching the browser.
It is just launch and go with this browser, which is something I can personally appreciate. However, I find it its appearance and function to be just another clone of the standard Chromium browser.
We'll dive into the privacy and security features of the Avast Secure Browser here. We'll also cover any cool or unique features it may have in this section.
Security and Privacy Center
The bulk of the privacy and security options in the Avast Secure Browser are found in what is called the "Security and Privacy Center."
It's overall independent from the standard "Settings" page. However, many parts of this Security and Privacy Center do link to the browser's settings page.
While the Security and Privacy Center has a neat and compact layout, the constant back and forth between it and the general settings page can be confusing for some users.
Additionally, it appears that this Security and Privacy Center doesn't allow for any deeper or more meaningful customization options not found within base Chromium itself.
Ad and Tracker blocking
Built in tracker blocking in the Avast Secure Browser is not good.
For starters, the browser is set to allow third party cookies in normal browsing by default:
At a minimum, privacy browsers usually block third party cookies by default.
Outside of installing privacy focused extensions, any kind of general tracker blocking/fingerprinting protection in Avast is reduced to its built in Ad blocker, Anti-Track and Anti-fingerprinting function.
Ad blocking & "Anti-Track"
I'll just say it: Avast's built in ad blocker is mediocre.
This is mostly because:
- It doesn't necessarily block any trackers... just some ads. Analytics cookies, general tracking cookies, tracking beacons, and other aggressive tracking methods aren't reliably intercepted.
- It follows the "Acceptable Ads" criteria... which is strictly concerned with the appearance of ads - not their tracking or fingerprinting capabilities, which are the true threats to your privacy.
Now, you can enable "strict" blocking, which does block more ads than the standard. However, what I don't like is that the developer's discourage this function because they rely on revenue to "support" the Avast Secure Browser.
At the bottom of the Ad blocker settings, it does say the ad blocker is "powered by uBlock Origin." However, we don't know what list(s) the browser is using for each of its ad blocker settings...
Additionally, its "Anti-Track" feature appears to heavily rely on the Do Not Track standard, which is essentially defunct. It seems to block some known tracker scripts, but then it lets others through. I just want it to be consistent and transparent about what it truly blocks, of which it does neither.
I had to open the developer's tools to even verify if it was blocking anything besides ads at all:
So, it looks like the Anti-Track does work on some known tracking scripts - but it doesn't tell us straight up what it's blocking. To me, that's a little shady.
Back to the ad blocker: so, the built-in ad blocker doesn't block any trackers... it just blocks some ads that don't meet the "Acceptable Ads" criteria.
In blocking these ads, it may stop a small portion of the tracking cookies/beacons that ads frequently place on your device. Unfortunately, that's not nearly enough to meaningfully help protect your privacy, even if your threat model isn't hardcore.
What good is it?
Well, apparently allowing ads that follow the "Acceptable Ads" standard helps the developers make money. I would say that is this ad blocker's only useful function.
What's interesting is that even when configured to a "strict" blocking policy, the ad blocker doesn't do a better job than an extension like uBlock Origin, despite being powered by uBlock Origin. Again, this could be due to the lists that it is configured to use.
Overall, the built-in ad blocker is a false security, and it seems to only check a box in the browser's list of features.
I would strongly prefer if it wasn't even included... so that users would be more inclined to download a true ad blocker - or better yet, a trusted tracker blocker.
The Avast Secure browser's anti-fingerprinting is shallow at best. It claims to hide your browser information (such as type of browser, extensions installed, etc) from websites you visit...
When using online tools, such as Browser Leaks, I couldn't tell that this browser's "scrambling" of the user agent string really affected much of anything.
It's hard to trust that it does anything more behind the scenes, as it still seems that during my use the majority of websites were able to fingerprint my browser easily.
The Avast Secure browser runs on Chromium, which is an open-source browser framework created and maintained by Google.
While Chromium is open-source, there are quite a bit of callbacks to Google in its source code. I couldn't verify if these callbacks were removed from the Avast Secure browser or not, because its source code isn't available for the public to review.
So, we can assume that they weren't. If they were, they were most likely replaced by services or callbacks to Avast's servers -- much how Microsoft did with the new Chromium-based Edge.
This browser appears to have a dedicated and active development team.
Updates appear to be released regularly. Regular updates patch known security vulnerabilities and fix reported bugs.
The Avast Secure browser comes with built-in "Anti-phishing" protection.
When enabled, the browser scans the webpages you visit to ensure that you're not connecting to known phishing and/or scam sites.
The service is nearly identical to Google's "Safe browsing" feature, and as such can be a major detriment to your online privacy.
When this feature is enabled, the URL of the site you're visiting gets sent back to Avast/Google. The URL is compared against a database of known phishing websites.
Seems handy but what you should know is that these phishing sites pop up and get removed all the time. The "known" ones are usually long gone by the time they get added to these databases.
What you're doing is sending Avast and/or Google super detailed data about your browsing history - without them even having to really "track" you in the traditional sense. You're trading privacy for a subpar sense of security...
Why do I say subpar? Generally, if you follow "common sense" Internet safety guidelines, even the most average user will find little use out of enabling this feature.
Therefore, it's best left disabled so that it's harder for companies like Google and Avast! to collect your browsing history.
You can only use Bank Mode if you download the Avast Antivirus. I would advise against this because of the tracking and excessive data collection allegations surrounding Avast!
Bank Mode is arguably Avast's most unique, interesting, and potentially useful feature.
It's actually the one feature that made me look into the browser in the first place.
According to Avast, Bank Mode opens a Virtual Machine (VM) and a new window of the browser. This VM is isolated from the rest of your main system, so that other applications cannot see what you're doing within the browser on the VM.
However, in this case, it's more appropriate to call the "VM" a sandbox.
A sandbox is a software that allows you to run an application isolated from the environment of your main system.
So, in theory, even a password manager that has "auto-capture" feature should not be able to capture any information you may input while using Bank Mode.
Hold your horses though, because while this is a pretty cool and potentially helpful feature, it doesn't do as much for your privacy or security as you would think.
Firstly, Bank Mode is limited by the same limitations that plague all sandbox software, such as:
- Sites still have access to whatever information you tell them. For example if you log into your social media accounts and then browse the web, you can still be tracked and collected data can still be attributed to you and your social media profile
What's more is that this feature isn't going to necessarily increase your privacy just because it launches a window in a sandbox... You're still able to be effectively fingerprinted, websites still have the abilities to see where you click/what you type in forms on that given site,
At the most, Bank mode can protect what information you type in the browser from local threats. Meaning the likes of keyloggers and sketchy programs/applications installed on the device.
Additionally, there have been many security exploits found within this feature. Many of these have been patched - such as this malicious code injection that can automatically open Bank mode (external link) - but it seems the concept is deeply flawed from both privacy and security standpoints.
... whoops, nothing to do here!
Sketchy claims and false promises
My biggest issue with this browser is that it goes beyond making bold claims; it makes many false promises.
For example, on its website, Avast claims that this browser "stops tracking," but...
- The ad blocker is, at best, a run-of-the-mill blocker, that follows the Acceptable Ads standard unless configured to "strict."
- The "Anti-Track" feature functions on the mostly defunct Do Not Track standard. While it seems to block some trackers, to call it anything such as "track proof" is a ridiculously reckless claim.
- The anti-fingerprinting capabilities seem severely limited to only scrambling a part of the user agent string... Listen, fingerprinting has evolved to be extremely complex. Just partially scrambling an user agent string helps a little, but ultimately isn't going to cut it.
Additionally, the website for this browser claims to keep you anonymous. Which is a joke, and quite frankly, a straight up lie.
On today's Internet, total anonymity is extremely hard. It's downright next to impossible if you want to take advantage of not even half of the technology and services you can find and use via the Internet.
Also, the only browser that can give you some anonymity is the Tor browser. But even TOR isn't foolproof, especially when not optimally configured. So, for the Avast Secure Browser to even remotely claim that it can help you remain anonymous is just a lie.
Finally, this browser is not open source. Sure, the Chromium framework is, but the source code for the Avast Secure Browser is not; with all the proprietary extensions built in, it's a real possibility that the browser phones home with collected data on how you use it.
This is the only "bad" I have to list, because it is the ultimate deal-breaker for this browser.
Honestly, I can't recommend this browser.
I would recommend that you stay away from using this browser; if you are in need of a Chromium based browser, then there are better alternatives available.
As always, stay safe out there!