# Perfectly Private Android Networking (Almost) I thought I'd found the perfect (in relation to privacy) network setup for my Android phone. I have a rooted [OnePlus One](https://oneplus.net/one) running [CyanogenMod 12](https://lineageos.org/) ([Lollipop](https://www.android.com/versions/lollipop-5-0/)). To start, I installed [OpenVPN](https://openvpn.net/) and configured my phone to route all of my network traffic over it. The VPN end-point is a server I have at home on the end of a static IP address. This allows me to use my phone on untrusted networks (open wifi and my mobile network providers) without having to worry about having my traffic sniffed/altered/generally messed with. On top of this, I installed [Orbot](https://www.torproject.org/docs/android.html) (for [Tor](https://www.torproject.org/)) and [orWall](https://orwall.org/) (a Tor aware firewall). orWall allows me to specify on a per-App basis what sort of network access to use (None/Torified/Direct). So for example, I can let [Firefox](https://play.google.com/store/apps/details?id=org.mozilla.firefox) have a "direct" connection to the Internet (via the VPN), whilst forcing [K-9 Mail](https://play.google.com/store/apps/details?id=com.fsck.k9) to use Tor, and blocking [Angry Birds](https://play.google.com/store/apps/details?id=com.rovio.angrybirds) from accessing the Internet at all. This works because every Android app runs under its own UID, and [iptables](https://wikipedia.org/wiki/Iptables) lets us specify rules matching specific UIDs when the packet is generated locally. For example, the following rule would block any outgoing tcp port 80 packets generated by a process running under UID 1234: ```bash iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner 1234 -j DROP ``` The reason this setup isn't perfect, is because since Android 4.3, DNS lookups are now done using an in-kernel DNS resolver. So *all* DNS lookups appear to come from UID 0 (root). This makes it impossible to distinguish between DNS lookups which originate from Firefox, K-9 Mail or Angry Birds etc. orWalls reaction to this is to force all DNS requests to go via Tor. For apps which are supposed to use a direct connection, this isn't so bad, but for apps which are supposed to be blocked from any Internet access, it's quite a large hole. Angry Birds can now communicate with the outside World by tunnelling it's traffic over DNS. For example, it could perform the DNS query: ```text device-id.other-private-info.tracker.example.com ``` If there is a DNS server handling traffic for "tracker.example.com" it can simply listen for such requests and decode/log them. So yeah, almost perfect, but not quite, thanks to this in-kernel DNS resolver madness. This is not orWalls fault and the same problem exists for any application firewall running on Android. P.S. If you've got a non-rooted phone, and simply want to route all traffic over Tor (rather than on a per-App basis), apparently Orbot can handle that now. It simply presents it's self as a VPN provider to the system. Pretty smart.