A method for implementing the android root-free firewall

A method for implementing the android root-free firewall

When using the android mobile phone, I found that the traffic on my mobile phone was often stolen by some apps with advertisements that were accidentally downloaded. I searched various markets, and most firewalls require mobile phone root. Most of them are modified from the famous Droidwall. For example, this project on github: https://github.com/skullone/android_firewall. The principle is that the root machine uses the root permission to configure iptable and uses the built-in firewall of linux to implement traffic control.

However, root destroys the android security mechanism, which can easily lead to malicious code exploitation. On googleplay, I finally found a noroot firewall. It uses android vpnservice technology to implement a root-free firewall. I am very interested, so I found some information on the Internet and implemented a root-free firewall. Here I will share my experience.

The Android system supports configuring the VPN service. You can choose Settings> More> VPN. However, the system only supports some VPN protocols. What if you want to implement your own VPN protocol? To support this extension, Android provides the VpnService class. This is a subclass of a Service. Once the service is started, it creates a service similar to the application proxy. Any package for an application will be sent to the service first and then forwarded to the network. Therefore, this VpnService becomes a man-in-the-middle between the applications that need to use the network and the network servers. This provides an opportunity to control outbound traffic.

Interaction between VpnService and client

Then how does the VpnService communicate with the client application? The TUN/TAP mechanism of linux is used here. TUN/TAP provides a virtual soft Network Interface (compared with the physical Nic ). Developers can open this soft interface device, get a file descriptor (device is a file), then read is to read data from it, write is to write data to it. Different from the physical Nic interface, data is sent to or received from the Internet (in fact, it is written/read to the kernel, and then the NIC Driver sends/receives data from the Internet ), this virtual network interface reads/writes data to an application space. After a TUN/TAP is created, the client application will send the packets that are originally sent to the actual Nic to the virtual tun/tap. In this case, the vpnservice can read the data sent to the client; vpnservice can write data to tun/tap. In this case, if the client recv or read, it will read the virtual network port and obtain the data written by vpnservice. I guess this is done by modifying the route table so that all the network building packages take precedence over the tun/tap Virtual Network Ports.

The difference between tun and tap is that the former has an IP header and an IP load (Layer 3 and above), while the tap includes a data link layer header (Layer 2 and above ). In Android, it is actually a tun, And the read and write data is the original IP packet. To verify that vpnservice has created a virtual network port, you can download noroot filewall and use adb shell netcfg. If vpnservice is enabled, the interface named tun0 is UP.

For more information about tun/tap, see routing. This is a linux mechanism, not just android.

VpnService and network server interaction

What if the VpnService sends the received data to the Internet? Unlike normal linux, which allows users to send original ip packets, the Android security mechanism only allows socket to send Common tcp/udp packets. This requires us to unpackage the ip packet received by tun, get its tcp/udp payload (that is, application layer data), and then send it to the server through send. When receiving the recv data from the server, add the tcp/udp header and ip header, and write the data to the tun. Tcp is much more complicated:

• If the syn packet is received, connect
• If connect is successful, a syn ack is returned to tun. The three-way handshake ends (because the last ack is not needed ).
• Two-way seq should be recorded during transmission to generate seq and ack sequence numbers.
• When receiving the fin package, you must close it and return the fin ack. Sometimes the connection is terminated by the server. At this time, you need to send fin to the client.
• When receiving the rst, close the connection.

  To some extent, it is much easier to reproduce a tcp protocol stack.

  Implementation

  Start service is required first, which generally provides a button implementation in the activity. Instead of directly starting the service, you must first open an activity that requires the user's consent to enable the service. This is to prevent malicious vpnservice from spying on network data.

  Refer to this Code (in activity ):

      public void enableVpnService() {        Intent intent = MyVpnService.prepare(getApplicationContext());        if (intent != null) {            startActivityForResult(intent, 0);        } else {            onActivityResult(0, RESULT_OK, null);        }    }    @Override    protected void onActivityResult(int request, int result, Intent data) {        if (result == RESULT_OK) {            Intent intent = new Intent(this, MyVpnService.class);            startService(intent);        }    }

  Then, in the onstartcommand of the service, you need to create a tun.

  To facilitate VpnService to create tun, Android provides a Builder class VpnService. Builder. For example, we can call:

  Builder builder = new Builder();builder.addAddress("10.0.8.1", 32).addRoute("0.0.0.0", 0).setSession("Firewall")                .setMtu(1500);ParcelFileDescriptor interface = builder.establish();

  This interface represents tun. It can only be read and written. To avoid ANR, it is best to create a thread.

  If you do not process a socket that actually interacts with the outside world, the data will be sent to tun again, resulting in an endless loop. Therefore, you need to call VpnService. protect to ensure that the data sent by this socket is directly sent to the physical Nic.

  Android provides a ToyVpn sample project. You can search for its code or create an android sample code in eclipse. You can also refer to this introduction Article.