I thought I’d found the perfect (in relation to privacy) network setup for my Android phone. I have a rooted OnePlus One running CyanogenMod 12 (Lollipop). To start, I installed OpenVPN and configured my phone to route all of my network traffic over it. The VPN end-point is a server I have at home on the end of a static IP address. This allows me to use my phone on untrusted networks (open wifi and my mobile network providers) without having to worry about having my traffic sniffed/altered/generally messed with. On top of this, I installed Orbot (for Tor) and orWall (a Tor aware firewall). orWall allows me to specify on a per-App basis what sort of network access to use (None/Torified/Direct). So for example, I can let Firefox have a “direct” connection to the Internet (via the VPN), whilst forcing K-9 Mail to use Tor, and blocking Angry Birds from accessing the Internet at all. This works because every Android app runs under its own UID, and iptables lets us specify rules matching specific UIDs when the packet is generated locally. For example, the following rule would block any outgoing tcp port 80 packets generated by a process running under UID 1234:
iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner 1234 -j DROP
The reason this setup isn’t perfect, is because since Android 4.3, DNS lookups are now done using an in-kernel DNS resolver. So all DNS lookups appear to come from UID 0 (root). This makes it impossible to distinguish between DNS lookups which originate from Firefox, K-9 Mail or Angry Birds etc. orWalls reaction to this is to force all DNS requests to go via Tor. For apps which are supposed to use a direct connection, this isn’t so bad, but for apps which are supposed to be blocked from any Internet access, it’s quite a large hole. Angry Birds can now communicate with the outside World by tunnelling it’s traffic over DNS. For example, it could perform the DNS query:
If there is a DNS server handling traffic for “tracker.example.com” it can simply listen for such requests and decode/log them. So yeah, almost perfect, but not quite, thanks to this in-kernel DNS resolver madness. This is not orWalls fault and the same problem exists for any application firewall running on Android. P.S. If you’ve got a non-rooted phone, and simply want to route all traffic over Tor (rather than on a per-App basis), apparently Orbot can handle that now. It simply presents it’s self as a VPN provider to the system. Pretty smart.