Hermit does not currently support Multiple Profiles because unfortunately it is impossible to implement with the current set of Android APIs available to developers.

Can Two Sites in a Lite App Share Data?

No, absolutely not.

Just like every other browser, web sites loaded in Hermit CANNOT access each others’ data. Each web site has access only to its own cookies and its own storage, segregated by its domain name, because that’s how security works on the Web Platform (and has for the last 20+ years). A page from facebook.com cannot access cookies set by another page at, say, reddit.com in any browser.

We’ll say this again so it’s crystal clear: Hermit is like every other browser in this respect.

What about between Two Lite Apps?

Opening two Lite Apps in Hermit is like opening two tabs or two windows in Chrome or Firefox.

So while facebook.com cannot access reddit.com’s cookies, you cannot have two sets of cookies for facebook.com or reddit.com active at the same time. That means you cannot log in to Facebook or Reddit using two accounts at the same time in the same browser.

What about Third-Party Cookies?

If there were a third-party server that is used by both Facebook and Reddit (let’s say some-ad-server.com), that server is able to access its own cookies from both Lite Apps.

This is exactly what happens when you open Facebook and Reddit in two separate tabs or two separate windows in Chrome or Firefox or any other browser.

Because of the way the Web works, some-ad-server.com will always have access to its own data, no matter which window or tab or Lite App you are using.

Hermit Protects You Even Before Cookies Are Set

But, first, to be able to set a cookie, the JavaScript code from some-ad-server.com must first be downloaded to your phone and executed.

Even before such code is downloaded, Hermit’s Ad Blocker and Malware Blocker will block suspicious code from domains classified as ad-ware or malware, and will prevent it from running entirely!

What Hermit doesn’t have, and what no other browser on Android has either, is full cookie separation between Lite Apps (or windows or tabs).

Cookies and Android WebView

Android apps that use the WebView system component to render Web sites must use the default in-built cookie management system. There is no way to substitute our own cookie jar or to handle our own network processing (e.g. via a custom network stack). All apps must use this default behavior, and only one cookie jar is supported per app.

That means it is not possible to implement separate cookie jars for each Lite App, or multiple profiles using the current set of APIs available to developers.

A Ray of Hope: Android P

Android P and above will support multiple cookie jars per app.

Once Android P APIs are stable, we will revisit this and consider implementing a solution. However, any such solution will only work on Android P and above, which severely limits the number of people who can benefit from this.

So how does Incognito Mode work?

If you’re wondering how Incognito mode works in other browsers, most browsers save the cookies from the regular session, then clear the sessions from the Incognito one, and then swap in the old saved cookies when done. This works because they only have two modes: Regular and Incognito.

In Hermit, you can have as many Lite Apps open at the same time as you want, so swapping out cookies like this can cause instability & mix up your browsing sessions, which can be disastrous.