[tor-talk] Android app: Torrific

CJ tor at tengu.ch
Fri Jul 25 08:13:00 UTC 2014

On 07/25/2014 09:24 AM, isis wrote:
> CJ transcribed 2.5K bytes:
>> On 07/24/2014 03:54 PM, u wrote:
>>> CJ:
>>>> On 07/24/2014 01:23 PM, u wrote:
>>>>> Lunar:
>>>>>> CJ:
>>>>>>> Just a small announce (not sure if this is the right ML, sorry).
>>>>>>> I'm developing an Android app allowing to block all IP traffic, and
>>>>>>> force only selected app through Orbot.
>>>>>>> This is done because neither Orbot nor AFWall (or other free, opensource
>>>>>>> Android iptables managment interface) seem to be able to do that…
>>>>>> Orbot is free software. Isn't there a way to add the needed features
>>>>>> directly to it?
>>>>>> Sorry if it's a naive question, I'm not very knowledgable regarding
>>>>>> Android. But I know that asking our users to install 3 different apps or
>>>>>> even more is not friendly.
>>>>> AFAIK this works in Orbot if you have a rooted Android device.
>>>> Not the "block all other output" part in fact :)
>>> That said, I am also interested in your answer to Lunar's question :)
>>> Why not contribute to Orbot instead?
>>> Cheers!
>> It's possible I push some pull-request later, yes.
>> But, as said in some previous email, I'm not really sure it's Orbot job
>> to set up firewall… I rather prefer dedicated app for dedicated task —
>> Orbot main task is, for me, connecting to Tor network… Basically, this
>> just doesn't involve the firewall at all.
>> But yeah, I know, users like "all-in-one apps" — who knows, once
>> torrific is ready (i.e. no more broken rules, no more bugs like "craps,
>> network's broken")… the devs may get some PR ;).
>> Torrific is also, for me, a way to play with android without annoying
>> other applications.
>> To be honest, I'd rather contribute this function in AFWall than Orbot,
>> as it already is a firewall manager (and not a bad one).
>> Cheers,
>> C.
> I agree that this should be done outside Orbot, for several reasons that I'm
> not going to get dragged into again. And FWIW, Mike's blog post on Android
> security specifically recommends setting up DroidWall (a similar AOS
> iptables-based firewall app) with some bash scripts to log and deny all leaky
> traffic from Orbot.
> My primary concern would be regarding whether Torrific's iptables rules are
> applied ASAP after Orbot starts Tor, and I actually can't recommend anything
> there (short of building a new initramfs which enforces starting the firewall
> from there, early during the boot process).

torrific works with an init-script blocking all the traffic — same way
droidwall or afwall are working, same problem with older android versions.
torrific starts on boot, maybe earlier than orbot, which is a good
thing. it also uses orbot uid (as well as app uid) in order to set the
redirects and allow orbot to go out.

> DroidWall already has a mechanism for running user-specified scripts at
> startup... Perhaps the most portable way to do what you're trying to do would
> be to add a similar script-sourcing mechanism to AFWall? Then you could simply
> maintain a repo of startup scripts which (hopefully) work for any Android
> firewall app which supports this mechanism.

problems with handmade scripts: how to catch app uid automatically?
that's not userfriendly. Not at all…
That was the first version of this app: an init-script, a "lib" written
in shell, and a script applying the rules, using a shell array as source
for application information.

the app I've done lists the installed application requesting network
access, you just have to check those you're wanting to allow network
access and they are forced through orbot :).


More information about the tor-talk mailing list