[tor-talk] Android app: Torrific

isis isis at torproject.org
Fri Jul 25 07:24:10 UTC 2014

CJ transcribed 2.5K bytes:
> On 07/24/2014 03:54 PM, u wrote:
> > CJ:
> >> On 07/24/2014 01:23 PM, u wrote:
> >>> Lunar:
> >>>> CJ:
> >>>>> Just a small announce (not sure if this is the right ML, sorry).
> >>>>> I'm developing an Android app allowing to block all IP traffic, and
> >>>>> force only selected app through Orbot.
> >>>>> This is done because neither Orbot nor AFWall (or other free, opensource
> >>>>> Android iptables managment interface) seem to be able to do that…
> >>>> Orbot is free software. Isn't there a way to add the needed features
> >>>> directly to it?
> >>>>
> >>>> Sorry if it's a naive question, I'm not very knowledgable regarding
> >>>> Android. But I know that asking our users to install 3 different apps or
> >>>> even more is not friendly.
> >>> AFAIK this works in Orbot if you have a rooted Android device.
> >> Not the "block all other output" part in fact :)
> > That said, I am also interested in your answer to Lunar's question :)
> > Why not contribute to Orbot instead?
> >
> > Cheers!
> It's possible I push some pull-request later, yes.
> But, as said in some previous email, I'm not really sure it's Orbot job
> to set up firewall… I rather prefer dedicated app for dedicated task —
> Orbot main task is, for me, connecting to Tor network… Basically, this
> just doesn't involve the firewall at all.
> But yeah, I know, users like "all-in-one apps" — who knows, once
> torrific is ready (i.e. no more broken rules, no more bugs like "craps,
> network's broken")… the devs may get some PR ;).
> Torrific is also, for me, a way to play with android without annoying
> other applications.
> To be honest, I'd rather contribute this function in AFWall than Orbot,
> as it already is a firewall manager (and not a bad one).
> Cheers,
> C.

I agree that this should be done outside Orbot, for several reasons that I'm
not going to get dragged into again. And FWIW, Mike's blog post on Android
security specifically recommends setting up DroidWall (a similar AOS
iptables-based firewall app) with some bash scripts to log and deny all leaky
traffic from Orbot.

My primary concern would be regarding whether Torrific's iptables rules are
applied ASAP after Orbot starts Tor, and I actually can't recommend anything
there (short of building a new initramfs which enforces starting the firewall
from there, early during the boot process).

DroidWall already has a mechanism for running user-specified scripts at
startup... Perhaps the most portable way to do what you're trying to do would
be to add a similar script-sourcing mechanism to AFWall? Then you could simply
maintain a repo of startup scripts which (hopefully) work for any Android
firewall app which supports this mechanism.

 ♥Ⓐ isis agora lovecruft
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140725/0ff3554e/attachment.sig>

More information about the tor-talk mailing list