2014-06-12
Using Tor with Firefox OS
Update - Please read my followup post for some additional information and updated steps on building and installing tor
on Firefox OS.
Please read the disclaimer at the end of this article. This is a proof of concept. It's a manual process and you shouldn't depend on it. Make sure you understand what you are doing.
I'm a fan of Tor. The Tor site explains what it does:
Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
I make my personal website available as a Tor hidden service accessible from mh7mkfvezts5j6yu.onion. I try to make other sites I'm involved with also have a presence over Tor. I do a fair amount of my browsing over the Tor network for no reason other than I can and it limits the opportunity for people snooping on my data.
I want to be able to use Tor from Firefox OS. In particular I want it embedded as low level as possible so I have the option of all traffic going over Tor. I don't want to have to configure socks proxies.
Firefox OS doesn't allow native applications. The low level underlying system however is based on Linux and Android and can run native binaries. Starting with a rooted Firefox OS install I built Tor and used iptables
to reroute all network traffic to work over it. This is a first step and is what this article demonstrates how to get going so power users can try it out. My next step would be to investigate integrating it into the build system of Firefox OS and providing ways to start/stop it from the OS interface.
The first stage of building is to have an Android standalone toolchain installed. I describe how to do this in my Wasp Lisp on Android post or you can use a Nix package I created for use with the Nix package manager.
Building libevent
Tor requires libevent to build. I'm using static libraries to make creating a standalone tor
binary easier. The following will build libevent
given the standalone toolchain on your path:
$ cd $HOME
$ mkdir build
$ cd build
$ wget https://github.com/downloads/libevent/libevent/libevent-2.0.21-stable.tar.gz
$ tar xvf libevent-2.0.21-stable.tar.gz
$ cd libevent-2.0.21-stable
$ ./configure --host=arm-linux-androideabi \
--prefix=$HOME/build/install \
--enable-static --disable-shared
$ make
$ make install
Building zlib
Tor requires openssl which in turn requires zlib:
$ cd $HOME/build
$ wget http://zlib.net/zlib-1.2.8.tar.gz
$ tar xvf zlib-1.2.8.tar.gz
$ cd zlib-1.2.8
$ CC=arm-linux-androideabi-gcc ./configure --prefix=$HOME/build/install --static
$ make
$ make install
Building openssl
$ cd $HOME/build
$ wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz
$ tar xvf openssl-1.0.1h.tar.gz
$ cd openssl-1.0.1h
$ CC=arm-linux-androideabi-gcc ./Configure android no-shared --prefix=$HOME/build/install
$ make
$ make install
Building tor
$ cd $HOME/build
$ wget https://www.torproject.org/dist/tor-0.2.4.22.tar.gz
$ cd tor-0.2.4.22
$ ./configure --host=arm-linux-androideabi \
--prefix=$HOME/build/install \
--enable-static-libevent
$ make
$ make install
Packaging Tor for the device
To run on the Firefox OS device I just installed the tor
binary and a configuration file that enables transaparent proxing as per the Tor documentation on the subject. I put these in a directory that I push to an easily accessible place on the device:
$ mkdir $HOME/build/device
$ cd $HOME/build/device
$ cp $HOME/build/install/bin/tor .
$ cat >torrc
...contents of configuration file...
$ adb push $HOME/build/device /data/local/tor
The configuration file is:
DataDirectory /data/local/tor
Log notice file /data/local/tor/tor.log
RunAsDaemon 1
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
DNSPort 9053
Running tor
I haven't integrated tor
into the device at all so for this proof of concept I adb shell
into it to run it and configure the iptables
to redirect traffic:
$ adb shell
# cd /data/local/tor
# ./tor -f torrc &
# iptables -t nat -A OUTPUT ! -o lo -p udp --dport 53 -j REDIRECT --to-ports 9053
# iptables -t nat -A OUTPUT ! -o lo -p tcp -j REDIRECT --to-ports 9040
Testing
The device should now be sending traffic over Tor. You can test by visiting sites like whatismyip.com or icanhazip.com to see if it reports a different IP address and location to what you normally have. You can also try out hidden services like mh7mkfvezts5j6yu.onion which should show this site.
Removing
Killing the Tor process and removing the iptables
entries will set the network back to normal:
$ adb shell ps|grep tor
$ adb shell
# kill ...process id of tor...
# iptables -t nat -F
You can optionally delete the /data/local/tor
directory to remove all tor files:
$ adb shell rm -r /data/local/tor
Future
This is just a proof of concept. Don't depend on this. You need to restart Tor and the iptables
commands on reboot. I'm not sure how well interaction with switching to/from WiFi and GSM works. Ideally Tor would be integrated with Firefox OS so that you can start and stop it as a service and maybe whitelist or blacklist sites that should and shouldn't use Tor. I hope to do some of this over time or hope someone else gets excited enough to work on it too.
Another privacy aspect I'd like to investigate is whether TextSecure (or a similar service) could be integrated in the way it's done in CyanogenMod:
"The result is a system where a CyanogenMod user can choose to use any SMS app they'd like, and their communication with other CyanogenMod or TextSecure users will be transparently encrypted end-to-end over the data channel without requiring them to modify their work flow at all."
Ideally my end goal would be to have something close to that described in the hardening Android post on the Tor Project blog.
I'm not sure how possible that is though. But Firefox OS is open source, easy to build and hack on, and runs on a lot of devices, including multi booting on some. Adding things like this to build your own custom phone OS that runs web applications is one of the great things the project enables. Users should feel like they can dive in and try things rather than wait for an OS release to support it (in my opinion of course).
Test Builds
A tar file containing a precompiled tor
and the torrc
is available at b2g_tor.tar.gz.
Disclaimer
All files and modifications described and provided here are at your own risk. Don't tinker on devices you depend on and don't want to risk losing data. These changes are not an official Mozilla project and do not represent any future plans for Mozilla projects.