[gautxori]

hi,

my Android is destitute of some good apps to protect him from web menaces. I'm thinking of shielding him with some firewall, behind a proxy, together with some ad-filtering and just in case a network monitoring apk. Not much for an starter, but enough for now.

So,
- which might be the best disGUIse for iptables? I want to have an easy-to-use & free (yes, as usual) one, say AFWall+. Can anyone recommend sth better? (My Android uses no underwear: he's a SU!).
Provided no better choice, does anyone know of a good "from novice to master" guide to configure AFWall+, and take the most from iptables? (There's much work done at netfilter.org, but i'm fed up with browsing html pages: i prefer a pdf with a long introduction and plenty of howtos).
- on proxies: there's drony, icecoldapps' proxy server, and proxydroid (maybe other choices too, but my Android goes for these). Can anyone discard either of them, with a good reasoning? I think the three do the same things, more or less. Drony seems to be the most used one, but perhaps the other two might add some features...
After the choices are made, me and my android would need a fully detailed (PDF) guide to get the most out of a proxy (or into, it depends) understand all that can be done with one of such, etc. Any help there?
- now to ad-filtering and web browsing: whichever the browser, we need to keep head calm, and get rid of those nasty popups anywhere on the screen. Ad-away or Adblockplus? Me, i'd go for the latter, it gave me lots of satisfaction with firefox on PC. I've read about other options... Any suggestions? Any good guide on how to configure either of them?
- network monitoring: there's NetworkLog, but my android drops a message every time the app gets started: something like "no access to iptables, bye". I gave it root access, and iptables does work at the command prompt. Any help?

I might have forgotten some important security measure: your help is welcome.

After such a messy message, perhaps someone can help me put some order into my device. Any non free or open-source option should be discarded. Thanks.

Also, a short guide on android security in the Reviews or the Best of sections would be welcome.

Finally, thanks to this big family for these nearly 10 years helping us make the most out of our mobile devices.

[articfusion]

Hi, nice to see I'm not the only one caring about privacy and security.

While I can't help in specific questions, I can answer with some general hints:

You talk about proxies... why not using a VPN ? Not a free service, but some paid one, or best, an encrypted tunnel with your home computer (that is free, and is as much secure as you trust your home connection's ISP). And again, make sure your android has certificate pinning (aka, check if you can supply a forged certificate and still get allowed to connect. I heard that's some version's problems with that.) or all your privacy goes *poof*.

For browsing security, keep in mind that most exploit packs are automated (they look for your user agent and try common vulnerabilities for that). So identifying your droid with the user agent of let's say... an Iphone, will still give you a mobile version of the site, but protect against eventual automated attacks (that works with pc also...) so, choose a browser that allows you to spoof the user agent to another device.

For network monitoring, it's too wide as a matter. There are powerful tools to accomplish efficient monitoring, but they are not so user friendly. If you want, dig more into tcpdump and its filters. You could set up canaries if, let's say, you hit a server located in china or you have outgoing connections to ftp or irc servers (ok, haven't seen many botnets on android yet...). Next step is using scapy on your phone (a python lib) but that's really some wierd stuff

Other thing people usually miss is setting up a static address in your arp table for your router (when connected to wifi). This prevents MiTM attacks when you are in a lan. (not sure about the command, should be something like arp -s 192.168.1.1 aa:00:11:22:33:44 where the first is your router ip and the other is mac address).

Another thing is security with your GPS. If you use agps, little you know that personal information (like your IMSI) is leaked to the internet when you get the fix. You might think it's encrypted, but most times it's not. You might think connection is secured, but if there is no certificate pinning, again you're not. And besides, your personal data is not required to get that information, as MNC, LAC, CID are the only things needed to you an approximate location.


Securing your droid is not an easy task but it's a nice toy to play with

[gautxori]

Hi, nice to see I'm not the only one caring about privacy and security.

What i care most is for privacy.

You talk about proxies... why not using a VPN? (... some paid one, or best, an encrypted tunnel ...)

My biggest care is for doors, not tunnels: my Android seems to have some biological poison produced by some kind of softtoxin (perhaps it's mutating into a sheep), and i need to control the synapse (later i'll care about the whole transmission).
You see, using iptables, proxies, ad-filtering -and web browsing-, and network monitoring i just want to know and filter what comes and goes.
A VPN handles the traffic, and gets implemented by means of data transfer protocols. A proxy, on the other hand, just acts as a "proxy" (an agent, a delegate), not as a whole communication protocol. Or at least, that's my concern with a proxy: to create an "overlaid door" on my Android to spoof / control data passthrough.
In fact i'm using some implementations of VPN services: SSL/TLS for my mail comms (i'm using gmail & yahoo accounts), and i also have a SSH terminal that i have never used (ConnectBot).

...make sure your android has certificate pinning (aka, check if you can supply a forged certificate and still get allowed to connect. I heard that's some version's problems with that.) or all your privacy goes *poof*...

This deals again with secure channels. I'm not sure, but i think SSH gets it done in an alternate way... SSL is more than enough for my security concerns. I leave certificate validation task for the web browser.

For browsing security, keep in mind that most exploit packs are automated (they look for your user agent and try common vulnerabilities for that). So identifying your droid with the user agent of let's say... an Iphone, will still give you a mobile version of the site, but protect against eventual automated attacks (that works with pc also...)

That's a good point i had misconsidered. I got used to Firefox on PC, but i feel chrome works better in Android: i'll look for a chrome addon to impersonate user agent.

For network monitoring, it's too wide as a matter. There are powerful tools to accomplish efficient monitoring, but they are not so user friendly. If you want, dig more into tcpdump and its filters.

NetworkLog should be doing tcpdump's job. It's not sth i care much about, but I'd prefer a GUI based tool.

Other thing people usually miss is setting up a static address in your arp table for your router (when connected to wifi). This prevents MiTM attacks when you are in a lan.

My Android is independent to excess, does not have any LAN-based enemies.

Another thing is security with your GPS. If you use agps, little you know that personal information (like your IMSI) is leaked to the internet when you get the fix...

Well, i did. I never use AGPS. (In fact i have a nokia s40 phone and an Android tablet. the former does not even have a GPS).

Securing your droid is not an easy task but it's a nice toy to play with

I did not even get to play with it, but it's more a matter of having some more privacy than the security one could get. Anyway, who cares about what i do with my handheld devices? Google? Mobile operators? Governments? CIA / NSA / FBI? Interpol? ECHELON / ENFOPOL / SITEL? Julian Assange?
(Definitely, my Android - not a nexus - is behaving like a sheep. Maybe it's me).

[articfusion]

My biggest care is for doors, not tunnels: my Android seems to have some biological poison produced by some kind of softtoxin (perhaps it's mutating into a sheep), and i need to control the synapse (later i'll care about the whole transmission).
You see, using iptables, proxies, ad-filtering -and web browsing-, and network monitoring i just want to know and filter what comes and goes.

I once started to write my own on-device proxy with python, it was good for simple usage, but for more advanced features it was too much of a hassle to reinvent the wheel... there are much more lightweight solutions when you decide to delegate filtering and monitoring to another machine (again, a tunneled computer at home) running something like burp proxy. Less work for your phone, more fun with data on a big computer screen.

NetworkLog should be doing tcpdump's job. It's not sth i care much about, but I'd prefer a GUI based tool.

GUIs are nice, but java apps might take more resources than needed, and if you are planning to run multiple layers of security, you'll find your device clogged up. It's ok to start with a gui, but when you understand what are the best settings for you, just turn to command-line only and script it, either wil bash, python, ruby, perl etc... sl4a is an awesome project. Your device resources will thank you.

Well, i did. I never use AGPS. (In fact i have a nokia s40 phone and an Android tablet. the former does not even have a GPS).

s60 user here, since early days. Too bad to see Symbian die... but it's still my choice as a primary phone.

Anyway, who cares about what i do with my handheld devices?

They all don't care what YOU do, they care what millions people do. They collect as much information they can, for the most various reasons, but they are not targeting you or me in particular. Our individual data is irrelevant to them, but ALL our data is gold.

I'll leave a couple of link that might interest you about privacy apps and making a more secure phone:

Code: Select allhttps://prism-break.org/en/categories/android/

https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

[gautxori]

I once started to write my own on-device proxy with python, it was good for simple usage, but for more advanced features it was too much of a hassle to reinvent the wheel... there are much more lightweight solutions

GUIs are nice, but java apps might take more resources than needed, and if you are planning to run multiple layers of security, you'll find your device clogged up. It's ok to start with a gui, but when you understand what are the best settings for you, just turn to command-line only and script it.

I fully agree with you on java, but i think native apps are the way to go. Command-line on a touch device? (you mean, "my Android plagued with a full qwerty keyboard"?) Fortunately i got rid of AIX & HP-UX a long, long time ago... not to backslide.

s60 user here, since early days. Too bad to see Symbian die... but it's still my choice as a primary phone.

Lucky you. I wish i could acquire an S60, but nowadays it's mission impossible (like fully shielding an Android with Tor).
Should you be able to help me get an S60... p.m. me

They all don't care what YOU do, they care what millions people do. ... but they are not targeting you or me in particular. Our individual data is irrelevant to them, but ALL our data is gold.

Mmmmm.... who knows... I'm not the one to share names for some relevant guys who do care about my data... These "sniffers" get their job very well done, for sure.

...making a more secure phone

You know it every bit as well as i do: there's no secure phone. No matter what software, firmware or hardware you use. Every bit that we share is being watched over.

The only way to keep our data safe is not to expose it.

[articfusion]

I fully agree with you on java, but i think native apps are the way to go. Command-line on a touch device?

I hate typing on a touch device... that's why I either attach a usb keyboard, or write from pc and ssh my files to the phone. Once it's scripted (I mainly use python) I create a shortcut of the script on the homescreen or I just open sl4a and run from there. No typing on phone required.

I wish i could acquire an S60, but nowadays it's mission impossible (like fully shielding an Android with Tor).
Should you be able to help me get an S60... p.m. me

Yeah, you won't have any luck getting a brand new one, but there's still a lot of people selling their old ones, that's how I got mine (after my other one's screen broke). Look up some website for used stuff, and find someone you can reach in person. I only buy used if I can test the stuff, never got any coaster.

And Tor is not the solution to all evil either. Not saying 'tor is dead', but it has its security problems too (exit nodes can still see / manipulate traffic ) then there are ways to deanonmize or profile you anyway. Tor is a big help, but requires you to know exactly what to do and what don't.

You know it every bit as well as i do: there's no secure phone. No matter what software, firmware or hardware you use. Every bit that we share is being watched over.
The only way to keep our data safe is not to expose it.

We're all being watched, but nobody really cares about us (with a few exceptions). Think about how many text, images, comments, phonecalls, lolcats and cheezburger are shared every day, every hour, every second from almost every corner of Earth. That's just too much work even for the most advanced supercomputer network to elaborate and store. There's a lot of people fighting to keep privacy as a value, and a whole 99% that doesn't care about it, but as long as those majority keep sharing duckface selfies in their bathroom, or funny captioned cats, they are contributing polluting the internet with useless information that intoxicate those surveillance systems. That's the way the universe balanace itself. For once,

[gautxori]

I hate typing on a touch device... that's why I either attach a usb keyboard, or write from pc and ssh my files to the phone. Once it's scripted (I mainly use python) I create a shortcut of the script on the homescreen or I just open sl4a and run from there. No typing on phone required.

have you tried MyPhoneExplorer's Text Input or Phone Keyboard?

(For the sake of keeping to the subject, i'll leave out comments on my beloved nokia mobiles)

Tor is not the solution to all evil either. Not saying 'tor is dead', but it has its security problems too (exit nodes can still see / manipulate traffic ) then there are ways to deanonmize or profile you anyway

"Exit Nodes". That was what i was talking about: the doors, not the tunnel.
To be honest, i downloaded some Tor apks some time ago, installed and removed them short afterwards: a waste of time and memory.

Ok. These general statements provided quite useful. Thanks,

[articfusion]

have you tried MyPhoneExplorer's Text Input or Phone Keyboard?

Nope, I'll look into them. I would really use any keyboard that supports big keys and T9, as for me it's still faster than any full keyb (except for a computer one). Even with a Nokia e71 (that has full hardware keyboard) I'm slower than my well trained N95 t9.

(For the sake of keeping to the subject, i'll leave out comments on my beloved nokia mobiles)

There's only the two of us here in this thread, and it's 'general talk'. So I don't think anyone would mind our little off-topic

To be honest, i downloaded some Tor apks some time ago, installed and removed them short afterwards: a waste of time and memory.

Tor on device is cool, but for resource saving on phone, if I ever needed Tor, I'd make it run from my home box, connected to the neighbor's wifi (ok, I didn't really say that...) and properly tunneled on my droid. Less resources, more privacy. I'm not so paranoid about that, but that's how I'd do it if I ever needed.