|
|
Embedding system level vs app
|
|
|
|
|
|
Firewalling is difficult for DNS resolution because those are sent via UID 0 rather than per-app UID
|
|
|
* this happens in the Android guts, socket requests internally direct DNS requests to a system process
|
|
|
* probably will require modifications to these Android internals
|
|
|
* this could be managed using SELinux with SECMARK and/or CONNSECMARK
|
|
|
|
|
|
All DNS over Tor:
|
|
|
- More likely susceptible to hijacking
|
|
|
- use DNS over TLS or HTTPS
|
|
|
|
|
|
Why not use Android VPN?
|
|
|
- Only one VPN can be enabled at a time on the device
|
|
|
- User notification about VPN enabled with big scary warning
|
|
|
|
|
|
Using iptables for restricting per-app traffic
|
|
|
|
|
|
Make the UX when there is a system app look/feel like Orbot
|
|
|
|
|
|
There should be a UI for picking and choosing which apps should go through tor, which apps should be denied all, etc
|
|
|
Three options:
|
|
|
- Direct connection
|
|
|
- Over Tor
|
|
|
- No network
|
|
|
|
|
|
Copperhead allows restricting android.permission.INTERNET permission, but that can leak
|
|
|
- see "No Permission Remote Shell" demo app
|
|
|
- iptables at root level is much safer
|
|
|
|
|
|
iptables initialization early in startup, preventing all network connections
|
|
|
- Run Orwall (or similar) after startup
|
|
|
|
|
|
Full-disk encryption vs file-based encryption?
|
|
|
- FDE should remain, file-based encryption could be useful but not necessary
|
|
|
|
|
|
We should look at the Accounts API for if/when it connects to servers
|
|
|
|
|
|
Boot verification?
|
|
|
- Some phones don't have full support
|
|
|
- Optional when it is supported, but $100-200 phones likely won't support it
|
|
|
- it is not the end of the world if it is not available
|
|
|
|
|
|
Support for bridges/PTs:
|
|
|
- Use Orbot?
|
|
|
|
|
|
We'd need something similar to TAILS with an insecure, directly-connected browser
|
|
|
|
|
|
Android support for captive portal
|
|
|
|
|
|
If we use DNS-over-TLS, then there's a catch-22 where we never receive the hijacked response from a captive portals
|
|
|
|
|
|
Captive portal autodetection, can we auto-fill?
|
|
|
|
|
|
MVP:
|
|
|
- early iptables
|
|
|
- boot verification
|
|
|
- No captive portal support?
|
|
|
- not likely - this would make it very difficult |
|
|
\ No newline at end of file |