An update on using Tor on Android

Back in 2012 I wrote a blog post on using Tor on Android which has proved quite popular over the years.

These days, there is the OrFox browser, which is from The Tor Project and is likely the current best way to browse the web through Tor on your Android device.

If you’re still using the custom setup Firefox, I’d recommend giving OrFox a try – it’s been working quite well for me.

Telstra has a database of your NextG web activity

So, in what must be my biggest blog day ever, Telstra posted this: http://exchange.telstra.com.au/2012/06/28/further-update-telstra-smart-controls-cyber-safety-tool/

What is clear from their previous post and the pickup in the media (including ABC, Crikey and news.com.au) is that people care about this, a lot.

What is also clear is that they’ve had to go and talk to the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman and the Australian Communications Consumer Action Network.

I’d like to thank Senator Ludlam for raising this with Telstra government affairs which without a doubt helped raise the profile of this issue.

There are a couple of issues with Telstra’s updated statement:

  1. They admit to constructing a database with your full query string and IP address
  2. They don’t address the moral issue of being involved with a company so involved in curtailing human rights (Netsweeper).
  3. Just stripping out the query string doesn’t erase all personal information

I don’t think we can ignore any of these problems, and I hope we get good responses and resolutions to them.

The significance of point 1 should not be understated. This means that some people, somewhere, have access to a decent amount of your browsing history. There is no details on who has access to this (hint: law enforcement could probably request it). There is also no explanation about why this was applied to everyone.

Update: after rereading their blog post, at best I can say it’s ambiguous on if they stored this or not. One sentence implies that they do, another implies that they don’t. Clarification would be most welcome, and given the history so far, we should not assume the best.

Personally, I’m really disappointed in Telstra for at any point thinking it’s okay to finance human rights abuses. I’m also really disappointed in world governments for permitting the sale of such software to those who use it to oppress their people. We should be in the business of exporting freedom and democracy, not exporting tyranny and oppression.

If you have a NextG handset, I strongly suggest the following:

Tor + Firefox + Twitter + (not rooted) Android = awesome

Update: As of October 2015, you should likely install the OrFox browser which is from The Tor Project and is a port of the Tor Browser to Android. Installing OrBot and OrFox makes browsing through Tor on an Android device easy. The rest of this blog entry is left in-tact for historical record, but as of now, look at OrFox rather than this process.

This is actually pretty simple to get going once you know how. This is a short “HOWTO use Tor on Android”

Basic problem: I want to use Tor on my phone. If you’re wondering why, perhaps my previous posts on Telstra and what they do to your traffic may be a good hint.

First of all, you’re going to want to install OrBot. It’s available from the Google Play store. There is absolutely no harm in leaving this running all the time in the background. I have found it to have zero impact on battery life of my phone (the Battery thing in settings doesn’t show OrBot at all).

With OrBot running, you now have a HTTP and SOCKS proxy available on your phone. This means you can set any app that can use a HTTP or SOCKS proxy to do their Internet access through Tor instead of directly through your Wifi or cellular network.

The Twitter client wonderfully has built in support for using a HTTP proxy. You just need to go into the Twitter app’s Settings, click “Enable HTTP Proxy”, and set “Proxy Host” to localhost and “Proxy Port” to 8118. You are now done. You can test this by disabling OrBot and then trying to refresh your Twitter stream. If it doesn’t work, then Twitter is trying to use the (not running) Tor proxy. Re-enable OrBot to be able to use your Twitter client. This “just works”.

There is pretty much no excuse not to have your phone Twitter client go through Tor. We all know that Twitter gets all sorts of legal queries for information about users. We also know that they’ve been fairly good about it, and indeed hats off to Twitter for being awesome. But… guess what? We can just ensure they don’t have any information worth handing over :)

Next step… Web Browsing. The Firefox Beta is pretty awesome. It’s fast and usable (which is exactly what you want in a web browser). This may also work with the standard Firefox browser (I’m not sure when they’ve updated it to be on par with the Firefox Beta version I’ve been using).

There is no place to specify proxy settings in the normal UI (I do hope Mozilla add this). But not to worry, Firefox on Android is built on the same base as Firefox on the desktop, so it does support it (there just isn’t a good UI).

What you need to do is go to the URL bar and go to “about:config”. This shows every little thing you can tweak in Firefox (a lot). Luckily, there’s a search bar. Search for “proxy” and modify the following settings to the following values (the = sign means “click modify and enter the value after the =”):

  • network.proxy.http = 127.0.0.1
  • network.proxy.http_port = 8118
  • network.proxy.socks = 127.0.0.1
  • network.proxy.socks_port = 9050
  • network.proxy.ssl = 127.0.0.1
  • network.proxy.ssl_port = 8118
  • network.proxy.type = 1
  • UPDATED: network.proxy.socks_remote_dns to “true” (click “toggle”)

Then head to http://check.torproject.org to check that it’s working!

This doesn’t provide you with all the features and benefits of using the TorButton in the desktop firefox, but it will stop your mobile phone provider spying on all the web sites you visit (unless they break into your phone itself).

Luckily, Android is fairly awesome and whenever you try to open a URL it can ask you what program you want to use to do that with. Guess what? Just select the Firefox you configured with Tor to open it and you’re browsing through Tor. Brilliant and easy with no need to go and “root your phone” or anything else that may turn people off from doing so.

Update: Thanks should also go to François Marier for his site that helped me get this right: http://feeding.cloud.geek.nz/2012/06/browsing-privacy-and-ad-blocking-on.html

Update: Added setting of socks_remote_dns