Changes between Version 2 and Version 3 of org/meetings/2018MexicoCity/Notes/EmbeddingTorInAndroid


Ignore:
Timestamp:
Oct 11, 2018, 2:00:32 PM (8 months ago)
Author:
eighthave
Comment:

added more details from my memory

Legend:

Unmodified
Added
Removed
Modified
  • org/meetings/2018MexicoCity/Notes/EmbeddingTorInAndroid

    v2 v3  
    22
    33Firewalling is difficult for DNS resolution because those are sent via UID 0 rather than per-app UID
     4 * this happens in the Android guts, socket requests internally direct DNS requests to a system process
     5 * probably will require modifications to these Android internals
     6 * this could be managed using SELinux with SECMARK and/or CONNSECMARK
    47
    58All DNS over Tor:
    69    - More likely susceptible to hijacking
     10    - use DNS over TLS or HTTPS
    711
    812Why not use Android VPN?
    9     - Only one VPN enabled at a time
    10     - User notification about VPN enabled
     13    - Only one VPN can be enabled at a time on the device
     14    - User notification about VPN enabled with big scary warning
    1115
    1216Using iptables for restricting per-app traffic
     
    2024    - No network
    2125
    22 
    23 Copperhead allows restricting Networking
    24 iptables at root level is safer
     26Copperhead allows restricting android.permission.INTERNET permission, but that can leak
     27    - see "No Permission Remote Shell" demo app
     28    - iptables at root level is much safer
    2529
    2630iptables initialization early in startup, preventing all network connections
     
    3539    - Some phones don't have full support
    3640    - Optional when it is supported, but $100-200 phones likely won't support it
     41    - it is not the end of the world if it is not available
    3742
    3843Support for bridges/PTs: