[tor-dev] reproducible builds for Android tor daemon

Hans-Christoph Steiner hans at guardianproject.info
Thu Sep 12 10:50:43 UTC 2019

Hey all,

I'm currently working on tor for Android as part of a Guardian Project
project.  One key goal is making a shareable, reproducible build process
for the tor daemon for Android.  Then this would be published to
MavenCentral as an Android AAR package to be used in all the apps that
include tor (Tor Browser, Orbot, Briar, Thali, etc).  I have cleaned up
the existing build process a lot, so now I'm down to troubleshooting
reproducible issues.

First off, can anyone see any objections to switching Tor Browser,
Orbot, Briar, etc. to use GPG-signed reproducible binaries via
MavenCentral for the tor dameon?

Second, I'd welcome pointers to the integration points in Tor Browser,
Briar, etc.

And third, and tips on getting a Linux shared library to build
reproducibly.  E.g. is faketime a hard requirement?

And for those interested, the here's an overview of the whole project
I'm tasked with:

The basic idea is to make an Android-native TorService, which is a
subclass of android.app.Service and loads tor daemon as a shared
library, and starts it via JNI methods. This should be pretty close to
how iOS apps use tor. Then that TorService should then plug into Orbot,
Tor Browser, Briar, etc. Then based on that, I'll make a standalone,
dead simple "TorServices" app that only provides Tor. No PTs, HSs, etc.,
just a tor daemon linked in as a shared library, providing a SOCKS and
HTTP CONNECT proxy via tor. I hope to switch the ControlPort to use a
UNIX domain socket.  This then can also be embedded into Android OS ROMs
that want to have Tor built-in as a system service, like CalyxOS.

Then I'll be working on the apps choosing which tor provider to use,
since we'll have a new TorServices, so apps that don't include Tor will
have to figure out how to use Orbot and/or TorServices. Then that work
will hopefully be extended into sharing tor between apps, e.g. letting
Briar, Tor Browser, etc share the tor SOCKS proxy to other apps that
want to use it. That would happen via Android mechanisms like Intents to
manage the discovery of SOCKS ports.


PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the tor-dev mailing list