Related
I was wondering whether there is such software for the android that can capture http posts before sending. i.e. like the firefox addons you can get and apps like http analyzer?
This would be really useful for testing purposes.
Cheers.
Gazos
You can try some general traffic capture tools (Like tcpdump or airodump-ng). If You have rooted phone, check out Shark for Root (tcpdump on phone).
Thanks for the update but I guess what I want is real time captures (and manipulation) like its possible in Firefox using only the phone.
I currently use tcpdump to capture data but want to edit the data before its sent out.
You can try to find/write small proxy server application and run it on phone, so you will be in control.
ex87 said:
You can try to find/write small proxy server application and run it on phone, so you will be in control.
Click to expand...
Click to collapse
Or you could run paros (http://sourceforge.net/projects/paros/files/) on a machine on your network and get the android browser to use it as the proxy (which looks like a bit of a task in it's self.)
The only viable way I can think of to do this (given Android's insane lack of proxy support) is to hack a custom firmware for a Linksys WRT54g so it basically routes everything to a transparent proxy (Fiddler2, Webscarab, Paros, Burp, etc) running on a PC. Something like this:
Android =[wi-fi]=> WRT54g -[ethernet]-> PC with proxy -> internet router
It might even be possible to achieve this without hacking the WRT54g.
The only problem you might still have (not sure) is Android's handling of invalid SSL certs since the proxy would basically be doing a man in the middle attack, and the app running on the Android phone would see an invalid SSL cert.
Be warned that trying this with a Windows host PC is almost guaranteed to fail unless it's Pro/Ultimate, and in any case this is going to involve some seriously hardcore manual routing config that goes beyond anything Windows' config screens were really intended to set up.
You can try to find/write small proxy server application and run it on phone, so you will be in control.
Click to expand...
Click to collapse
I'm pretty sure I saw this discussed on the android.security list, and the consensus was that the current API doesn't give any way to do this transparently, and it's questionable whether you could even implement something like WebScarab natively on Android using the NDK. I believe the general consensus was that if you want to host something like WebScarab on Android, it's going to take a custom kernel to pull it off, and some solution that lets you offload the actual proxying to a regular PC would be infinitely easier to pull off, and less cumbersome to use for actual security testing (it's enough of a pain trying to use Fiddler2 or Webscarab with a 1280x1024 display, let alone 854x480... not to mention trying to cut and paste examples into Word Documents for vulnerability assessment reports (shudder)).
^^^ OMG. I just installed AOSP ("Buufed") for the CDMA Hero, and it actually HAS the ability to set proxy for WiFi. I haven't tried it yet, and I'm not sure whether it's purely an "AOSP" feature or something I've just overlooked up to now that was in DamageControl, but it looks like at least *some* Android builds DO have it now
OK guys I'm so sick of this issue. Basically from my research there are thousands upon thousands of people with Android devices who go to university, or work in an office that uses a WiFi connection with wpa-enterprise or whatever and they can't use the net because there's no f**king proxy settings on Android. SO, this thread is meant to CLEARLY explain how to get proxy settings and hence use the net at uni and in the office or whatever. Calm down, I'm about to make life much easier
First of all there is no stock rom that lets you do this on a Legend (at the moment) so the only way to get the settings is for you to root your phone. Now there's like a thousand guides on how to do this but the best one I've found is this. Anyways!
Next thing you have to do if pick a rom to run which has the proxy settings. Now I might add here that everything I'm saying from now on pretty much is for the Legend only ie the roms I mention and.. yeah. So the best rom to use at the moment in my opinion is CyanogenMod which you can find in Legend Development. It's perfect really. Feel free to try other roms but generally they need to be froyo based and you can check if you can do all this proxy stuff straight away by checking the wireless and networks section in the settings area of your phone. If there is a proxy settings section then yeah you can do it.
So yeah, once you're on one of these roms check that you actually have "proxy settings" in the wireless and networks section of your phone, which I might add only lets you use the internet via a browser ONLY. The next thing you need to do is install an app called "transparent proxy" which you can find here. This app lets you use apps via a proxy as well as the browser and thus giving you FULL internet access (use version 2.04 or higher). Another app I've heard that is meant to work as well is called "orbot" which you can find on the market.
If you do a google search you'll see issue 1273 which is all about this proxy issue and its been going on for over 2 years now. I dunno what google's problem is.. but at least thanks to some people it IS in fact possible to get the internet working via proxy on wifi.. you just gotta go to a bit of effort, well I know I did to figure all this ^ out.
Remember if you have anything to add or correct let me know, cheers.
Cool thread, really useful. But:
curto said:
The other ROM which I'm sure works is CyanogenMod but beware, this one is a little outdated and I don't think its being updated anymore..
Click to expand...
Click to collapse
How wrong can you be. Both Azure and Indigo Bean are based on CyanogenMod (versions 6 and 5.0.8 respectively). Version 6.1 of CM is under heavy development, and it will replace Azure as it's the first version to officially support the Legend. There are nightly builds of CM for our phones, so every day something changes. It's about as actively developed on as Android itself.
Also, what did you write your post in? Why are there so many line breaks?
TheGrammarFreak said:
Cool thread, really useful. But:
How wrong can you be. Both Azure and Indigo Bean are based on CyanogenMod (versions 6 and 5.0.8 respectively). Version 6.1 of CM is under heavy development, and it will replace Azure as it's the first version to officially support the Legend. There are nightly builds of CM for our phones, so every day something changes. It's about as actively developed on as Android itself.
Also, what did you write your post in? Why are there so many line breaks?
Click to expand...
Click to collapse
Ohhhhhhhhhhhh no no mate you misunderstood, sorry I see now I wasn't clear enough. I didn't mean CyanogenMod in general was outdated and not being updated anymore. I meant that one in the roms section "[ROM] CyanogenMod 6.0.0-RC2 for HTC Legend" by kyosa. Sorry, I'll fix that up in the main post. And yeah what I've done is just pressed enter a lot to make the paragraphs look like that.. I kinda didn't know how to make a big essay readable so I just did that. I don't think it worked haha, let me adjust it. I'll try and eventually make it looks like a lot of the other guides when I get some more info and more response.
With Gingerbread and Honeycomb being talked about ... I was curious if anyone knows if there are any solutions to two issues that I personally think should be solved.
Web proxy - I use wifi at work but I need to use a proxy to get to the web. I am aware of some techniques to get the proxy working but haven't seen a good, simple way of turning a proxy on and off. The best would be to have the proxy settings associated to the wifi profile.
Incoming Voice Recording - Last time I looked into this there still was no way to directly access the incoming voice ... most programs suggest using speakerphone and it picks up the incoming voice through the mic. This is not a good solution.
For the proxy, you could use an application like Tasker (or Locale) to create a widget to run necessary shell commands to change the network properties. I think. I'd have to play with it a bit to get it to work, I imagine.
For the voice recording, my understanding is that it is a hardware limitation based on where (and at what level) the voice call is processed.
No and no.
Voice is Android system intended limitation, AFAIK.
Proxy switch isn't there yet, and no app has been written for it. Generally, WiFi management isn't quite there yet.
I've seen the proxy configuration screen on cyanogens ROM, have not tried it.
+1
Very surprising & disappointing that there is no wifi proxy... It is a very basic requirements that should not be missed out.
ardatdat said:
+1
Very surprising & disappointing that there is no wifi proxy... It is a very basic requirements that should not be missed out.
Click to expand...
Click to collapse
Cyanogen has it. Flash and enjoy.
There is WiFi proxy in custom ROMs, but the problem is that it's global and it can't be turned on-off easily, only through settings.
gravufo said:
Cyanogen has it. Flash and enjoy.
Click to expand...
Click to collapse
Come on, it is so basic and should be built-into the stock rom. I am not expecting any mods to do this basic trick. This is the most disappointing thing.
ardatdat said:
Come on, it is so basic and should be built-into the stock rom. I am not expecting any mods to do this basic trick. This is the most disappointing thing.
Click to expand...
Click to collapse
There are lots of basic things that should be in the stock rom but aren't.
That's what custom ROMs are made for.
If you own a Nexus One and are not even willing to use (or even try) a custom ROM, then you will never fully enjoy the device. Google is RELYING on the openness of Android for people to enjoy their devices...
gravufo said:
There are lots of basic things that should be in the stock rom but aren't.
That's what custom ROMs are made for.
If you own a Nexus One and are not even willing to use (or even try) a custom ROM, then you will never fully enjoy the device. Google is RELYING on the openness of Android for people to enjoy their devices...
Click to expand...
Click to collapse
1st, I am a rom and kernel developer
2nd, This proxy thing is so basic that it has been already implemented in ipod touch N years ago.
3rd, while I can (I have) applied the wifi proxy things into MY CUSTOM ROM, I still think that this is a basic thing that should not waste my time to do such a customization
4th, I am sure you are not using wifi proxy and do not realize how important it is
5th, NEXUS one is a great phone. When you first boot it, it asks you for your google account (great!), however, sorry, because you are using wifi proxy, you cannot connect to the internet. So, if you cannot connect to the internet, there is no point for using a "GOOGLE" phone. That is why I say it is a basic thing.
ardatdat said:
1st, I am a rom and kernel developer
2nd, This proxy thing is so basic that it has been already implemented in ipod touch N years ago.
3rd, while I can (I have) applied the wifi proxy things into MY CUSTOM ROM, I still think that this is a basic thing that should not waste my time to do such a customization
4th, I am sure you are not using wifi proxy and do not realize how important it is
5th, NEXUS one is a great phone. When you first boot it, it asks you for your google account (great!), however, sorry, because you are using wifi proxy, you cannot connect to the internet. So, if you cannot connect to the internet, there is no point for using a "GOOGLE" phone. That is why I say it is a basic thing.
Click to expand...
Click to collapse
No, I do not use a Wifi proxy but I know what it is and I am very aware of how important it is, which is why developers have added it in custom ROMs (like you did).
I am not trying to excuse Google for what they did, I am just saying there are alternatives and solutions to this problem so there is no point in complaining. Google will not be reading this, whining will not make them change their mind.
To add, Google couldn't even get Wifi sleep policy to actually work...ANY device can do that, but not our N1s...That's even more basic. I'm not whining on the forum for that since CM and others have worked-around this issue.
You (or anyone) cannot control Google, live with it.
Long time reviewer, first time poster - can't post in the dev forums until I have 10 postings (sigh).
Question for the devs or others in the know - in the ICS (granted very early) builds, I can't get IPtables to work, but an earlier list of changes seems to indicate that this should be working.
Manifests itself with errors starting the firewall in Droidwall. So, am I doing something wrong or is IPtables not available in the current ICS builds (I'm using the 0120 nightly)?
Other than that and the lack of Flash, my experience with the NC ICS builds has been nothing short of amazing.
Many thanks for the answer and for the ICS builds.
I just noticed this last night when Sshtunnel wouldn't work on my nook, but is fine on a Touchpad. I'd rather not compile my own kernel if enough people would find iptables useful.
Apparently not many CM9 users are concerned about IPtables and restricting access to the internet by apps. Hopefully one of the devs will pick this up for a future build. I worry about the info that my apps are sending out to the extent that I might go back to CM7 on my NC...
It ain't that I am unconcerned, it is just that I don't know the answer. I actually consider a working firewall to be of the utmost importance. I am pretty sure we are not alone. I did have trouble with it too, it said that the kernel came loaded with an updated version of (all numbers approximate) iptables 1.4.1.11 instead of the 1.4.1.10 that the droidwall was looking for. I honestly don't know what the issue is, but I am trying to be kinda ok about it, simply because I bet you dollars to donuts that firewalls work on cm9 sooner or later.
Lots of stuff work on cm9, I just don't feel like I can get my panties in a bunch because my pet issue isn't ready yet. I bet if we're patient it wont be long.
Or I just need to learn how to run the software better. If figure it out I will report back.
I guess my issue is that one of the chagelogs indicated that Netfilter was functioning in the upstream builds, but wasn't (apparently) working in the NC version. "Glad" to see it's not just me, but not so good that it seems to be lingering without a Dev comment.
user17600 said:
I guess my issue is that one of the chagelogs indicated that Netfilter was functioning in the upstream builds, but wasn't (apparently) working in the NC version. "Glad" to see it's not just me, but not so good that it seems to be lingering without a Dev comment.
Click to expand...
Click to collapse
PS - Anyone able to post this question in the Dev thread (I can't due to low posting count)?
[Note: I am not addressing firewalls; just iptables and global SOCKS5 forwarding in this post]
I very much need iptables support in the kernel and it appears to be here now. My needs are for a global proxy that all Android apps using the network will use. In theory, it ought to be as easy as loading the relevant, pre-built kernel module, and writing the correct iptables script to route all outgoing connections through your already-running ssh proxy. There are several apps that do this already.
I noticed there's a newer app for iptables maintenance "Iptables (beta)" in the Market by Moroni Granja, who also wrote the Autoproxy utilities. His utility does indicate that CM 7.2.0-RC1-encore (as of 2012-03-24) does have the required modules on it and offers to update the iptables binary for you which may (or may not) be necessary. I did update mine.
Whether it automatically re-routes all your outgoing connections through your already running SOCKS proxy I have yet to find out [edit: see my **UPDATE** below]. I have seen several apps like this in the market but none have worked on my Nook Color CM 7.1.X but I will try to see if they work on CM 7.2.X with Moroni Granja's utility. Another one that claims "global proxy support" is MAX LV's "ProxyDroid." None of them will open an SSH tunnel using SOCKS dynamic proxying and then iptables to it [edit: see my **UPDATE** below].
Dropbear on Cyanogenmod is not built with "-D" option. If it were, you could open a dynamic socks proxy using "ssh" on the device, set Proxydroid to use 127.0.0.1:58080 as your SOCKS5 proxy, set it to global mode (or set up an iptables script for this), and you have your own SSH tunnel. I don't see any app that will do this all at once anywhere in the market but I'm close to putting together a skeleton if only I had OpenSSH or Dropbear with "-D" dynamic forwarding compiled into it. That's the big obstacle here [edit: see my **UPDATE** below]..
Well, I did write that last paragraph a little hastily. There are two apps, "SSHTunnel" and "SSHTunnel (beta)" which come close to these requirements, but the author specifically notes they are intended for people behind the "Great Firewall" and I have had very little luck getting this to work. However, these apps do have interesting internals that can be used to further the effort for a true SOCKS5 tunnel using SSH to a remote host because, as you may already know, all you need is a remote Unix host to get this to work completely.
**UPDATE** I have successfully used SSHTunnel (beta) to connect to a remote host through the SSH SOCKS5 tunnel without setting any browser settings on CM 7.2.0 on my Nook Color. It is working now, though it's cumbersome to say the least. I am observing several connections on my remote SSH host that are being made from my Nook Color to places like Wikipedia and Google Play Store using http and https, among other things. I cannot confirm that all of my outgoing connections are being made through the SOCKS5 proxy but many are.
The executable being used is named /data/data/org.sshtunnel.bat/sshtunnel and it is actually OpenSSH_5.8p2. OpenSSH is very inefficient as compared to Dropbear. Indeed, the author of SSHTunnel says it will significantly reduce battery life. Replacing this with a Dropbear binary with dynamic forwarding may result in significant speed increase, battery life, and decreased memory usage.
In conclusion, I can report that global SOCKS5 proxy via SSH does work on CM 7.2.0-RC1-encore using the "IPtables (beta)" app in conjunction with SSHTunnel (beta).
Hi everybody,
one main reason I am staying on Kitkat and not switching to Lollipop is that it runs on Art and thus Xposed is not working (yet). I want it mainly because of XPrivacy to block internet access for certain applications.
Because that's the main reason to have XPrivacy I searched for an easier way (and maybe built-in) way to block internet access.
I finally found some time to dig into the AOSP source code and investigate how the app ops are implemented. I will first describe my development process and then give the code. If you're only interested in code go to the end of this post.
I noticed that it is rather simple to add a new toggleable permission to the AppOpManager (additionally I discovered this commit).
Well, adding a new operation does nothing by itself. The framework has to check somewhere if it is allowed to perform a specific operation.
In my investigations I discovered that nearly* all requests for a network socket pass the class java.net.InetAddress, namely methods lookupHostByName(String, int) and getByAddress(String, byte[], int).
* I say here nearly because I was not able to intercept the internet connection of the stock AOSP browser (XPrivacy has the same problem btw).
java.net.InetAddress is part of the standard Java implementation (platform_libcore) and thus cannot access framework classes and methods. I solved the problem by creating an interface and a static field holding an instance of the interface. Now this field has to be initialized so the method of the interface can be called.
The next step was to find the proper place where that initialization should take place. I chose a static initializer of the android.content.Context class.
Reasoning: every application runs in its own context. So when creating the context for an app the static field will be initialized. Otherwise I sometimes run into NPEs.
I also wanted to have consistent behavior between getting the connectivity state and the actual ability for accessing the internet. So I also changed the com.android.server.ConnectivityService.getNetworkInfoForType(int) method to fake no connection available.
Overall these changes included modifications in three projects which you can find in my Github. As a base I took the stock AOSP code at android-5.0.0_r7 so it is as developed and generic as possible.
platform_packages_apps_settings:
add op for internet access
platform_frameworks_base:
add op for internet access
block internet access if not allowed
fake no connection if internet access is not permitted
platform_libcore:
add an hook into methods that correspond to internet connections
All code is tested and working fine for me.
I hope some rom developers will read this post and apply these changes to their roms .
If anyone has suggestions on improvements or how to block apps like the AOSP browser please comment.
how can i block any specific app from access internet in aosp and where i can find API for Requesting internet
I want to customize os, there How can i restrict specific applicaion from accessing internet .
Actually i want to know where i can set network policy rule so that i can restrict internet.
please let me know if anone having any suggestion.
NetworkPolicyManager
ConnectivityManager
Inetd
It is neccessary to implement in all these or in any one to restrict internet ?
anu10121998 said:
I want to customize os, there How can i restrict specific applicaion from accessing internet .
Actually i want to know where i can set network policy rule so that i can restrict internet.
please let me know if anone having any suggestion.
NetworkPolicyManager
ConnectivityManager
Inetd
It is neccessary to implement in all these or in any one to restrict internet ?
Click to expand...
Click to collapse
I am running A11, Bliss (And I think its also in A8 Oreo). If you go into Settings>Apps & Notification>"see all apps">"App Name">Mobile Data & WiFi>Allow network Access ==>OFF This has worked a treat for me. The only caveat is that for the first week, internet content was sometimes being displayed, from what I can only assume was a cache. After a week, its as I expect.
ie No coding required. Interesting that android explicitly blocks removing the internet permission (but not other permissions) via a root shell, but works fine using the even easier GUI