[tor-dev] CPAProxy - a thin Objective-C wrapper around Tor

Claudiu-Vlad Ursache claudiu.vlad.ursache at gmail.com
Mon Oct 7 14:59:11 UTC 2013

Hi everyone,

For those of you interested in making Tor available on iOS, I've recently
released CPAProxy, a thin Objective-C wrapper around Tor (

The goal of the project is to release a free open-source browser  on the
AppStore that uses this wrapper and Tor to anonymize requests.

It works by starting an instance of the Tor client in a background thread
of an iOS app's main process. CPAProxy connects a socket to the client's
control port, send an authenticate message and asks for the bootstrap
progress until it reaches 100%. When the bootstrapping is done, the app is
notified that Tor's SOCKS proxy is ready to be used. From that point on,
networking requests can be sent over the proxy using Apple's iOS networking
classes. The github repository contains two packet traces from a test app
using CPAProxy of what traffic for an HTTP request looks like when it's
sent over Tor and when in plain. The repo also contains build scripts that
ease the compilation of openssl, libevent and Tor for iOS without changing
anything in the "normal" build process except for removing _NSGetEnviron()
and ptrace() calls in src/common/compat.c, since they're are not available
on the iPhone. Each of the libraries are statically linked into the
application binary.

Before continuing with the endeavor of releasing a browser, it would help
to know if there are people who think that it's not a totally bad idea to
release software that uses Tor on a closed platform and to get some
feedback on what security considerations are of high importance.

Some open questions I'm still looking answers for:
- What webkit features have to be disabled in order to keep anonymity
intact while displaying web content?
- Apple's networking classes provide ephemeral in-memory URL Sessions (
Can those be trusted or should equivalent classes be written from scratch?
- CPAProxy sets up Tor's DataDir in a temporary directory of an app's
sandbox where it's not accessible by other processes. Should that directory
be protected in any other way?
- What is a good way of analyzing packet captures from an app using
CPAProxy and Tor to see if any information leaks?

If there's anyone with opinions on the project, it would really help to
hear them. On #tor-dev I'm ursachec.

All best from Hamburg,

Claudiu-Vlad Ursache

Homepage: cvursache.com
Phone number: +49 152 554 08 409
Address: Lange Reihe 113, 20099 Hamburg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20131007/22e67ec3/attachment.html>

More information about the tor-dev mailing list