Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anonymous Browsing On Android Phones Using Tor

Posted by Soulskill on from the privacy-on-the-move dept.

ruphus13 writes "Privacy is becoming a scarce commodity, especially with geo-aware phones. Now, Android phone users can browse anonymously using Tor — a capability, until now, limited to the desktop. From the post: 'We have successfully ported the native C Tor app to Android and built an Android application bundle that installs, runs and provides the glue needed to make it useful to end users. Secure, anonymous access to the web via Tor on Android is now a reality,' writes Guardian Project team member Nathan Freitas. The Tor 0.2.2.6-alpha release uses toolchain wrapper scripts to run Tor without requiring root access."

18 of 109 comments (clear)

  1. !secure by sopssa · · Score: 4, Informative

    Secure, anonymous access to the web via Tor on Android is now a reality

    People should really stop using the word secure with Tor. Anonymous, sure, but you actually forfeit some of your security and privacy when using Tor. Anyone can snoop your outgoing connections from Exit node, or if you're using https or other secure connection, change the certificates. On top of that there's a change the exit node changes your http pages in addition to stealing or just snooping for information. Implying "secure" in news likes this gives lots of false sense of security to users, like has been seen many times before.

    Eavesdropping by exit nodes

    In September 2007, Dan Egerstad, a Swedish security consultant, revealed that by operating and monitoring Tor exit nodes he had intercepted usernames and passwords for a large number of email accounts.[15] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. SSL. While this does not inherently violate the anonymity of the source, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[16]

    Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.

    The summary also quickly mentions geo-aware phones. If you happen to be using that bad exit node, now your geo-location updates will be transmitted via it too. And goverments should be able to set up a lot different exit nodes all around the world easily.

    So no, it's not secure. It's maybe anonymous, if you use it correctly and don't login to your banking, slashdot account or whatever with it.

    1. Re:!secure by CharlyFoxtrot · · Score: 2, Insightful

      TL;DR : only use Tor if you know what the hell you are doing.

      --
      If all else fails, immortality can always be assured by spectacular error.
    2. Re:!secure by tolan-b · · Score: 2, Informative

      > or if you're using https or other secure
      > connection, change the certificates.

      Am I missing something here? I know about Tor MITM attacks from exit nodes, but how are they supposed to fake a cert? Seeing as proper certificates 'guarantee' identity as well as encryption.

      Assuming they're not using that null in the name string attack. But let's assume they're using a secure browser to begin with :)

    3. Re:!secure by Anonymous Coward · · Score: 2, Informative

      THANK YOU!

      Tor is only secure for doing anonymous things.
      The instant you login to anything, you are really risking giving up that information and breaking the point of the system in the first place.
      The creator really needs to put this in as a warning in big red letters.

    4. Re:!secure by Arancaytar · · Score: 2, Informative

      Right in principle, but it's fortunately not as bad as you think.

      SSL is a transparent layer on top of TCP, which means any protocol can be tunneled through it, including HTTP and IRC. (Though for FTP, you'd tunnel through SSH instead.) Admittedly, few IRC networks support SSL at present, but that will hopefully change. Freenode says they're working on it. Either way, IRC traffic is generally semi-public and the most sensitive stuff is your NickServ password (enabling exit nodes to impersonate random people on IRC).

      As for the proprietary IM networks, firstly you really should use Jabber if you care about security. Secondly though, at least the sign-in apparently goes through SSL for AIM, ICQ and Yahoo - and end-to-end encryption is available via Off-The-Record Messaging (the brightest invention since PGP, imho).

    5. Re:!secure by 56 · · Score: 2, Informative
      The problem for me is that the actual android phone itself is logged into google! Doesn't that make it insecure by their very nature?

      I have an HTC Magic/G2, and I've often been concerned about this when connecting to an open wifi ap. I only use wifi, so the fact that my cell phone company can see my usage over 3g is a non-issue (canceled my data plan when the free trial ran out). But it seems to me that my google password is probably not well protected from whoever owns the ap I'm connecting to.

      I just downloaded the tor android client and the shadow browser (which tells me that it can't use https, unfortunately), and it seems to work. I just checked my IP and it comes up as somewhere in Vancouver, which is not where I am so that's nice. But I still don't see how one can get past the fact that the phone itself is logged into google at all times.

    6. Re:!secure by Anonymous Coward · · Score: 2, Informative

      The count attacks got it wrong. Tor works in combination with privoxy and that routes DNS requests over Tor to avoid letting your ISP know what sites you are surfing. Stop spreading this FUD. Certainly users need to be educated about these issues- and not all will understand the implications. The problem is people here don't seem to understand Tor either and make false or missleading statments about it.

  2. Privacy is the next killer ap by Presto+Vivace · · Score: 2, Interesting

    The company who figures out how to protect our privacy while using all the cool gadgets and online tools is going to make a boat load of money.

    1. Re:Privacy is the next killer ap by CharlyFoxtrot · · Score: 3, Insightful

      The company who figures out how to protect our privacy while using all the cool gadgets and online tools is going to make a boat load of money.

      Because you know these days we need companies to do what the governments should be doing.

      --
      If all else fails, immortality can always be assured by spectacular error.
    2. Re:Privacy is the next killer ap by Presto+Vivace · · Score: 2, Funny

      the more companies that make money by abusing our privacy, the more demand there is for privacy tools. The company which solves this problem will make a boat load of money.

  3. Except you must still trust Tor by Gothmolly · · Score: 2, Interesting

    You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added. If you really care, you need something like Opportunistic Encryption.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Except you must still trust Tor by poofmeisterp · · Score: 2, Funny

      You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added. If you really care, you need something like Opportunistic Encryption.

      So you shouldn't use it if you don't want to be a Tor-get of investigation? :>

    2. Re:Except you must still trust Tor by arevos · · Score: 3, Insightful

      You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added.

      Tor is a service for browsing anonymously, not securely. Security is handled by SSL.

    3. Re:Except you must still trust Tor by AHuxley · · Score: 2, Interesting

      not hacked NSA?
      The NSA could set up front companies ie telcos or cut out political rights groups, students, uni profs boxes and just connect the dots in the USA.
      As the NSA is every telco, ips in the USA, getting a entry IP and tracing back to the exit ect. is not hard with their budget.
      As the NSA now faces inward, TOR in the USA is now another fun computer project at best.
      Sneaker net people or meet and greet with an understanding of one-time pads :)

      --
      Domestic spying is now "Benign Information Gathering"
  4. Use it for .onion only by zoloto · · Score: 4, Interesting

    I use TOR mostly for browsing .onion sites, inaccessible without it. Also, if you set up your connection/system properly, you *can* browse anonymously. The idea is that your ISP and external website (and exit node) can't identify who you are. This is a VERY good thing. I would, however, not log into any service that could identify me as "me" online through tor. Ever.

    As a personal opinion, many of the .onion services (forums etc) are more interesting than what's on the rest of the public internet anyways. It's amusing and interesting to see what people have to say on forums when they are really able to be anonymous (trolling aside).

  5. Re:cell co.s will be thrilled by skeeto · · Score: 3, Insightful

    The phone won't be acting as a node, though. Cell towers wouldn't carry any extra traffic than normal.

  6. Speed by YourExperiment · · Score: 3, Funny

    Tor is a wonderful piece of software, but browsing with it can be somewhat slow at times. Mobile internet is also a great invention, but can be frustratingly slow. Thank heavens that no-one is proposing using these two technologies in combination!

  7. Re:cell co.s will be thrilled by Smurf · · Score: 2, Informative

    let me clarify: since a given tor node is not just handling its own demands, but is also relaying other nodes' traffic, (...)

    That's where you're wrong. A Tor client isn't required to be a node, i.e., he is not required to relay traffic for others. It is basic etiquette to become a node if you use the client, but no one is forcing you. Why do you think Tor is so slow? Leechers!

    So, if relaying traffic is turned of on the cell phone client (and it IS turned off by default on the desktop clients), the total bandwidth consumed is going to be the one of the direct connection plus the overheads of all the layers of encryption, which is not too much.