[tor-talk] Android app: Torrific
tor at tengu.ch
Thu Jul 24 13:15:52 UTC 2014
On 07/24/2014 02:38 PM, Mike Cardwell wrote:
> * on the Thu, Jul 24, 2014 at 08:01:53AM +0200, CJ wrote:
>> Just a small announce (not sure if this is the right ML, sorry).
>> I'm developing an Android app allowing to block all IP traffic, and
>> force only selected app through Orbot.
>> This is done because neither Orbot nor AFWall (or other free, opensource
>> Android iptables managment interface) seem to be able to do that???
> One suggestion: Test this on a network which dishes out IPv6 addresses.
> None of these Firewall apps seem to take IPv6 into consideration. So if
> you wander onto a WiFi network which dishes out v6 addresses and then
> one of your Apps tries to connect to a host which supports v6, like for
> example Google or Facebook, then it will bypass your iptables rules.
> You need to set up rules using ip6tables for IPv6 too.
> Also, make sure that the rules are applied prior to any network
> connectivity coming up.
good point for IPv6 — it won't block it for now (no call to ip6tables so
far, though it's already defined in the init-script).
Regarding the early rule applying: the app currently installs an
- INPUT/OUTPUT default policy to DROP
- first rule in INPUT/OUTPUT to REJECT
I had to ensure there is no network at all — it seems some rules are
pushed really early in the chains, especially for the quota managing thing.
With this init-script, I ensure there is nothing IN nor OUT of the
device until torrific is launched. Even Orbot can't connect, which may
create some problems (and has created I think, though it's pretty
unclear for now and not really reproducible :( ).
Unfortunately, some android versions, such as 4.1.1, don't seem to
support user init-script — meaning those may (and do!) send stuff on the
network before torrific is up :(.
After many tests on my nexus4, running 4.4.4, it appears the system
tries to send at least 100 packages on the network before we can even
use the device :).
There's a warning regarding init-script support on the site, I really
tried hard to make it work, but no luck so far :(.
Also, most probably a ROM update will remove the init-script and
torrific won't see that for now, I have to add some other checks. But
the idea is here, at least :).
… Knowing all is pretty useless on phone devices due to the closed
baseband and GSM protocol is pretty annoying but, at least, we can do
something in order to get a safer (if not "the safest") devices.
More information about the tor-talk