Marlinspike's Droid Firewall Kills Tracking

mask.of.sanity writes "The first dynamic Android firewall, dubbed WhisperMonitor, has been released by respected security researcher Moxie Marlinspike. The firewall will allow users to stop location-tracking apps and restrict connection attempts by applications. Marlinspike, whose company created the application, designed WhisperMonitor in response to the incidence of location tracking and malware on Android platforms. It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

This firewall monitor non internet activities?

[countertrolling]

Like the phone itself? The applications aren't the only thing sending out the data..

Re:This firewall monitor non internet activities?

[sherpajohn]

What do you mean "the phone itself"? What else is sending out information but applications? Little elves hiding in the keypad? Sorry, I don't understand what you mean...an android phone is a device running the android OS - I would expect everything to be an application, even the part that connects to your mobile provider. Maybe I am looking at it the wrong way.

ZoneAlarm and NetBarrier

[dltaylor]

I used to use ZoneAlarm on Windows (still a version on my Win2K Starcraft PC), and tried NetBarrier for the PPC Macs. Both worked similarly, and I thought ZA was the greatest addition to Windows, ever.

Sounds like my impending Color Nook will be getting one of these, day 1.

Re:ZoneAlarm and NetBarrier

[cheros]

Used it. Little Snitch has IMHO one major problem: they decided that it should use the Macs voice system if you go into FrontRow, and it's not optional - there is no way to disable it at. Voice rendering on computers is a pet hate of mine (and Apple's system is pretty bad), so the fact that LS decided all on its own to use this was enough to start seeking an alternative.

I switched to Hands Off, which has the added advantage that I can have it monitor what applications do with my hard disk as well. And they offer a cheap license for those switching from LS, which helps :-).

The only question with both apps is: do THEY phone home? Haven't looked with Wireshark yet, but I will..

Re:ZoneAlarm and NetBarrier

[RivieraKid]

If you want to sniff on switched networks, stop being so cheap.

You'll need a managed switch with the ability to designate a specific switch port as a SPAN or mirror port (http://en.wikipedia.org/wiki/Port_mirroring). This will allow you to monitor any other traffic that is passing through the switch.

Those days aren't gone, they merely got a whole lot more expensive.

In any case, it's more likely that you'd do monitoring at the egress point(s) of your private network, not on a particular switch.

Re:ZoneAlarm and NetBarrier

[cheros]

No pointy-clicky though, so most Mac users won't use it.

I was building BSD firewalls based on Gauntlet more than 2 decades ago :-). You have two extra problems with ipfw - you need to know upfront what you're going to shut down or allow and it requires a lot of expertise that is not available to your average user.

In my case, you can add that I can no longer be bothered with hacking around in a box, I want the damn thing to work so I can get stuff done. Both LS and HO pop up when they have a question, but leave me otherwise to work. FIne by me..

Re:ZoneAlarm and NetBarrier

[nabsltd]

Those days aren't gone, they merely got a whole lot more expensive.

I don't think a few hundred dollars for a 48-port switch is "a whole lot more expensive". Although they are around $500 each in general, I bought a pair of brand new Netgear GS748T switches on sale for $500 total. There is also a 24-port version for less than $300.

They fall into the class of "smart switch", although they are closer to being "managed" in their feature set. One of the features is being able to set up a port to receive to all traffic on other ports. The best part is that it's fairly configurable, so that the "sniffer port" (their term) can listen to traffic on one or more other ports.

Droidwall already did a good job at it

Not dynamic, but allows you to setup white/black lists of application to access 3g or wifi network.
Does a good job. You just have to remember to add new apps to the white list of you want to allow them access to a network.

http://code.google.com/p/droidwall/

Re:Droidwall already did a good job at it

[penguinchris]

I've been using Droidwall for quite a while, and I'm going to keep using it for one primary reason - you can choose whether to allow apps access over wifi, 3g, or both. I'm mainly interested in limiting what apps do when I'm using mobile data.

I really hate that it doesn't pop up a notification when it blocks something new, though. Every time I install a new app I forget to enable it in the Droidwall settings, and it sits there not able to connect until I remember.

In fact, the whole interface for Droidwall is pretty awful.

If this new one adds the option to disallow 3g on a per-app basis, then I'd switch immediately. Don't want to knock Droidwall too much because it's great and it's free and everything, but it needs a lot of work!

Meh...

[Loki_666]

Which is why i like my mobile phone to remain a mobile phone and not a mini-computer subject to the same problems that plague PCs. We already have malware and other crap for mobile devices and the need for firewalls.... bet the anti-virus companies are wetting their pants over the move from mobile phones to mobile computers.

If i find myself in an emergency situation i'd like to be sure my mobile phone is working and not suffering from a plague of outbound traffic sending spam to half the world.

iPhone App

[AtomicJake]

Excellent news for Android users. I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.

Re:iPhone App

[chihowa]

I guess that Apple would never accept a similar App for the iPhone - it might disturb the user experience.

That's true, but there's one available in Cydia for jailbroken phones. Called Firewall IP, it works pretty well.

Re:Only for Nexus

The 'installer' wipes your ROM and replaces it with their own. It isn't an app installer.

Please port this to Linux A.S.A.P.

[TractorBarry]

> "It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

Excellent. + 100 this is the way things should be !!!

I've been yammering on about this for ages now without being able to get any Linux devs interested. As far as I'm concerned without such a feature Linux is a dead duck as far as being an operating system suitable for the home user. I've stopped putting Ubuntu on peoples machines due to the complete lack of such a firewall. And no. IP tables and Firestarter etc. are not the same thing *at all*.

The end user should always be given the final decision before *ANYTHING* on the computer is allowed internet access. This single feature of the Zone Alarm firewall on Windows has allowed numerous "non computer savvy" friends and relatives to realise they have a problem well before malware has been able to phone home. Not to mention blocking all the crappy "auto updaters" and other such crap that idiots have started putting in their Windows apps.

1 The people who write Zone Alarm for Windows get it.

2 Moxie Marlinspike gets it.

3 The Linux devs simply do not get it. They seem to believe we live in Magic Fairyland where no program would ever do anything malicious and anything should be able to connect out without the user knowing about it. "But we're only fetching cover art/some other stuff". No you're reporting information to a third party that I do not wish sent thank you very much.

Without this simple feature your computer is simply a digital spy silently allowing any program to send any information it wants anywhere in the world.

Totally unacceptable in 2011. All machines should have firewalls that allow the user full control of what applications are allowed to talk to the local network and/or the internet.

Re:Please port this to Linux A.S.A.P.

[Zebedeu]

While I agree with you on principle, I think in practice these types of programs bring a lot of grief.

I once visited the house of a friend who was having trouble connecting to the internet. Turned out ZoneAlarm (or a similar program) popped up a dialog asking if he wanted to block Windows networking (not by that name, but the library which controls it) and he said yes.

Of course there are ways around that. For example, the firewall program should've had networking whitelisted, but even then people will try and block all kinds of stuff and then complain it isn't working.

Re:Please port this to Linux A.S.A.P.

[Luckyo]

Considering there's nothing as feature-complete as IPtables on Linux, I think your best bet is to learn that rather than rely upon some limited GUI interface.

I think you just underscored his point of linux not being usable for a desktop. Modern desktop should NOT, EVER rely on command line interface for anything aimed at end-user if it is to be usable.

There is a reason why we don't use rotary diallers in smartphones. There's a reason why we don't use command line interface on average home desktop machines (and no, your home machine is NOT average by any margin any more then a rotary dialler phone is if it's using linux).

Re:Please port this to Linux A.S.A.P.

[KiloByte]

Uhm, wrong. A hostile userland program that can execute arbitrary code has ALREADY WON. There's nothing a "personal firewall" can do. Even if that firewall of yours would look at which process started the connection, there are many, many ways to control a process that is allowed. Both on Unix and on Windows.

You'd need a sandbox of some kind: a virtual machine, a separate user who can't directly access the network, a quasi-user (like a selinux role), etc. On Windows, even separate users are not enough if both processes are in the same "window session".

"Personal firewalls" can protect against a honest mistake or dumbest crooks. Against anything else, they're snake oil and give a false sense of security -- ie, are actually detrimental. As you said, "totally unacceptable in 2011". No one should run unreviewed code outside a sandbox.

Re:Please port this to Linux A.S.A.P.

[clang_jangle]

There's a reason the CLI remains the first choice of admins and coders, too -- it's the most powerful interface. It won't be going away in the next fifty years, and may still be with us in a thousand. Users who think "the computer needs to learn me" rather than the other way around will always have a low ceiling on their competence level and will always be frustrated.

As far as the "not usable" BS, really who cares? Competent people use *nix, most people are not competent. It's old news, and I really don't care what you use, frankly. Just trying to be helpful...

This

[Compaqt]

What happened to "appliances"? Set it and forget it?

Now it's going to be Windows all over again:

My phone's too slow, buy another one.
-reinstall OS
-upgrade OS
-install antivirus
-check for rootkits

Technology already exists ...

[DrYak]

On linux we have AppArmor, we have possibility to distinguish PIDs in ip tables (already used for traffic shaping by Peer-2-peer aficionados), ...

The problem is not the technology, the problems are different :
- The main one is the interface. Someone has to write something which is user-friendly enough.
- The other problem is the massive amount of executable existing on Linux. ZoneAlarm works well on windows, because of its rather monolithic structure. There aren't that many process needing to be controlled. The Unix philosophy is opposite, a swarm of small tools which each do only one thing, but do it well. Something like ZoneAlarm on Linux would produce a metaphorical Zerg-rush of pop-ups.

Also it is slightly counter productive :
- Such tools are indeed important on Windows, because there is *NO* *OTHER* *WAY* to control the software. They are mostly binary only. So you can only control them be restricting their accesses
- On linux, the software is open-source, and mostly comes from the distribution. There are lots of different and better way to do it.

They seem to believe we live in Magic Fairyland where no program would ever do anything malicious

In a way, because the code is better reviewed that is partially true. The linux community has better ways to know what is happening inside a given software.
That also means that one of the best practice would be to standardize on some access-restriction mecanism (like AppArmor) and have the developper systematically write profiles. Thus :
- it will be easier for the end user, not to have to write a profile for every single application.
- it will be easier to quickly look at the profile to know what an application could do.
- in case of exploit, the access-restriction-mechanism could easily block the abnormal behavior which the application never asked for in the first place.

"But we're only fetching cover art/some other stuff". No you're reporting information to a third party that I do not wish sent thank you very much.

And guess what ? The source code is open, and there are a lot of paranoid linux users like you out there. Thus some have added code to ask permission : on their first run, both VLC and Amarok explain you the situation and give you choice : systematically download the art / only download on demand / never touch the internet.

What we need is :
- more such efforts
- and perhaps a better centralized way to control such elements. (think like a centralized "privacy control panel" in KDE's System Settings, or some Gnome & Unity equivalent).

This requires lots of collaboration and efforts, but that's something the Linux community *CAN* do (unlike the binary wolrd, for obvious technical reasons).

Only works for Nexus. Need desktop, too

[Kamiza+Ikioi]

FTA, only has installs for Nexus One and Nexus X, and installer comes in Windows, OSX, and Linux... and it looks like they're all 64bit installs only. Very limited. And there is DroidWall, which is available on the market, but I believe you need a rooted phone (which is probably true for any decent firewall). I use DroidWall and it's fantastic. It let's you choose to allow not just an app, but how it connects. You can, for instance, block Pandora on 3G, but not Wifi.