Opened 4 weeks ago

Closed 3 weeks ago

#28125 closed defect (fixed)

Don't let Android leak DNS queries

Reported by: sysrqb Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile, tbb-proxy-bypass, TorBrowserTeam201810R
Cc: igt0, gk Actual Points:
Parent ID: #5709 Points:
Reviewer: Sponsor:

Description

In #27431 and #27375, it was reported Android is leaking DNS requests. From 27431, in summary:

This is exactly what we feared. It looks like this is the result
of a bug within the Android core HTTP library. This leak is already
fixed in the more recent releases of Android. In particular, any
version after Android O (API 26+) should not leak DNS queries.

We should patch TBA so it relies on the Android core library as little as possible. We don't need the fancy optimizations Android provide with request pools and such, so I think we can simply create and manage a proxy connection ourselves.

#27822 maybe related (but there isn't enough info available).

Child Tickets

Change History (12)

comment:1 Changed 4 weeks ago by new_user

-I made comment in #27822 and indeed i was using android o sdk 27
-so again i tested tor on android 7.1
-dns leaks on 7.1
-latest alpha leaks dns
-but orfox is running fine does not leaks dns at all

comment:2 Changed 4 weeks ago by gk

Keywords: tbb-proxy-bypass added
Priority: Very HighImmediate

comment:3 Changed 4 weeks ago by sysrqb

Status: newneeds_review

I have branch 28125 on my public repo. I haven't confirmed it prevents all leaks, yet (but it should). It simply prevents all non-Necko connections. A better patch will take some more time.

comment:4 in reply to:  1 Changed 4 weeks ago by sysrqb

Replying to new_user:

-I made comment in #27822 and indeed i was using android o sdk 27
-so again i tested tor on android 7.1
-dns leaks on 7.1
-latest alpha leaks dns
-but orfox is running fine does not leaks dns at all

Are you using a physical device or an emulator?

comment:5 Changed 3 weeks ago by gk

Keywords: TorBrowserTeam201810R added

comment:6 Changed 3 weeks ago by new_user

@sysrqb yes i used real device in all tests

and this app- https://f-droid.org/en/packages/org.adaway/

did not captured whole packet just dns.

although we can use binary for full capture witch comes with lineage os or you can install https://f-droid.org/en/packages/com.termux/ and use tcpdump with root.

comment:7 Changed 3 weeks ago by new_user

and one question
why orfox was not leaking dns or my test was flawed??

i am just an end user, so wanna know expert's opinion should i continue to use orfox

comment:8 in reply to:  3 Changed 3 weeks ago by gk

Replying to sysrqb:

I have branch 28125 on my public repo. I haven't confirmed it prevents all leaks, yet (but it should). It simply prevents all non-Necko connections. A better patch will take some more time.

Looks good to me. Do we have an understanding about what those changes break (we'd need to mention that at least in our blog post).

igt0: could you give it a round of testing on your devices, so we can start getting the Firefox security updates to android.

Last edited 3 weeks ago by gk (previous) (diff)

comment:9 in reply to:  7 Changed 3 weeks ago by sysrqb

Replying to new_user:

and one question
why orfox was not leaking dns or my test was flawed??

i am just an end user, so wanna know expert's opinion should i continue to use orfox

Yes, Orfox uses a different Proxy type (HTTP CONNECT, instead of SOCKS5).

comment:10 Changed 3 weeks ago by igt0

For all my tests I have been using a real device connected to my computer and I am using mitmproxy(https://mitmproxy.org/) to debug http(s) protocol and wireshark for non tls stuff.

mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java
Steps:

  1. Open https://bitmovin-a.akamaihd.net/content/MI201109210084_1/m3u8s/f08e80da-bf1d-4e3d-8899-f0f6155f6efa.m3u8 or https://content.jwplatform.com/manifests/yp34SRmf.m3u8
  2. Look for connections to both URLs.

Result: I was not able to verify any connection open for those URLs.

mobile/android/base/java/org/mozilla/gecko/updater/UpdateService.java

Test cases:

  1. Enabled MOZ_UPDATER
  2. Click in the check for updates button
  3. Verify if any connection was made to the update URL

Result: No request was made

mobile/android/base/java/org/mozilla/gecko/CrashReporter.java
Not able to test.

mobile/android/geckoview/src/main/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java

It is disabled in our prefs and we don't plan to enable soon. So I didn't test it.

comment:11 Changed 3 weeks ago by sysrqb

Great, thanks! I think the most noticeable change resulting from this patch is that favicons are not downloaded.

The patch prevents connections for the following functionality:

  • Sending Crash reports (already disabled) - CrashReporter.java
  • Search suggestions (SuggestClient.java)
  • Pocket (already broken, needs API key) - PocketStoriesLoader.java
  • After installation from Google Play (under certain conditions) - Distribution.java
  • Downloadable Content (Disabled at compile time) - dlc/BaseAction.java
  • Top/Suggested Sites - ImageLoader.java
  • (Fav)Icon download per tab - IconDownloader.java
  • Region-specific search engine (always default in TBA because missing API key) - SearchEngineManager.java
  • Download A/B testing framework config (already disabled) - Switchboard.java

As a result, the newly broken functionality includes Image downloading for Top/Suggested sites and favicon download.

comment:12 Changed 3 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Okay, the broken functionality is not great but I think we should pick what we have. commit 2c4b103cfef5eafe276713478abf8bd1db057730 on tor-browser.60.3.0esr-8.5-1 has the fix.

Note: See TracTickets for help on using tickets.