[guardian-dev] Orbot 1.0.4 RC for testing

Jacob Appelbaum jacob at appelbaum.net
Tue Sep 21 03:27:03 EDT 2010


On 09/20/2010 09:33 PM, Nathan Freitas (GuardianProject) wrote:
> 
> Thanks for the report.
> 

Sure thing.

> On 9/20/10 11:48 PM, Jacob Appelbaum wrote:
>> with transparent proxying - when a device resets, Orbot does not
>> automatically launch on the subsequent boot. The end result is that
> 
> It is definitely possible to start Orbot and transparenty proxying on
> boot. However, in order to do this, we need to request the "Read Phone
> State" permission. This is one of those overly broad Android permission
> bits that reads to some "Give this app permission to monitor all my
> calls", when in fact, all we need it for is to be able to get notified
> that the phone has booted up.

It's a bit weird that they don't have a "start at boot" permisson.

> 
> There has been a desire to keep the core Orbot app required permissions
> to a minimum. At this point, we only require the "Access Internet"
> permission. The solution I have been considering is to create a second
> helper app that would be called OrbotOnboot or OrbotLauncher, and this
> would have the extra permissions needed for this configuration.
> 

I think the transparent proxy stuff isn't safe without biting the bullet
and giving it the permissions that it needs...

> The other option would be to offer a Orbot-Lite and Orbot-full version,
> with lite always being the most paranoid configuration, and full
> offering all the rich, cool features we could think up.
> 

I think if you're really paranoid, it's reasonable to build your own. I
mean, no amount of permissions keeps a phone safe. If you want to pop
root on a Linux box, you just need user code execution...

>> Is there a way to ensure that Orbot is started before any other services
>> and every time the phone starts?
> 
> If we use this official method described above, I am not sure if you can
> control the order things startup.

That sounds like a potential for leaking. I wonder if this is true? I'll
do some digging.

> 
> Since Transproxying requires root however, perhaps, I am thinking of
> this the wrong way.... if we have root permission, perhaps we can do
> something at the Linux level to solve this issue.
> 

We can certainly muck with things... I fear the wrath of Android users
who end up with stuff that is hard to uninstall.

Sincerely,
Jake


More information about the Guardian-dev mailing list