Related
Highlights
100% open source (GPLv2+)
No ads
One-click connection (batch mode)
Supports RSA SecurID and TOTP software tokens
Keepalive feature to prevent unnecessary disconnections
Compatible with ARMv7, x86, and MIPS devices
No root required
Based on the popular OpenConnect Linux package
Click to expand...
Click to collapse
Requirements
Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
An account on a suitable VPN server
Click to expand...
Click to collapse
Downloads
Binaries are attached to this post under the downloads tab.
Google Play: https://play.google.com/store/apps/details?id=app.openconnect
Source code: https://github.com/cernekee/ics-openconnect
F-Droid: https://f-droid.org/repository/browse/?fdid=app.openconnect
Click to expand...
Click to collapse
(note that the F-Droid binaries are signed by a different key than the official releases)
Changelog
Code:
v1.11 - 2015/02/21
- Fix "Unknown compression type 0" errors when CSTP and DTLS use
different compression settings
Older changelogs:
Code:
v1.10 - 2015/02/08
- Fix CSD script problem on Lollipop (bug #1)
- Fix IPv6 address display on status window (bug #2)
- Enable LZ4 compression support
- Identify as a mobile client when Android or iOS is selected
- Update to OpenConnect v7.04+, GnuTLS 3.2.21
v1.02 - 2014/09/02
- Fix regression on certificate handling
v1.01 - 2014/08/29
- Add Spanish translations (thanks to teosoft)
- Fix regression on CSD scripts starting with "#!/bin/sh"
- Improve error messages on broken ROMs that throw exceptions when
starting a VpnService
- Fix intermittent fragment-related crashes on ICS
v1.00 - 2014/08/10
- Fix problems storing >8kB certificates on some ROMs
- Clean up seldom-used menu items and move some options into General Settings
or About
- Integrate Xposed module for bypassing the VPN confirmation dialog
- Switch to ACRA for problem reporting
v0.96 - 2014/07/06
- Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs:
https://code.google.com/p/android/issues/detail?id=70916
- Fix navigation anomalies (weird Back button behavior) seen after
re-entering OpenConnect from one of the Notifications
v0.95 - 2014/06/14
- Show the auth dialog <message> text in case it contains useful information
- Add German translations (thanks to Ingo Zansinger <[email protected]>)
- Add Chinese translations
- Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy
- Clean up a bunch of lint warnings and unused strings/files
- Try to generate a human-readable profile name when adding a new VPN
v0.91 - 2014/06/01
- Fix bugs involving saved authgroups
- Fix batch mode error handling
- Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466
v0.9 - 2014/04/26
- Add new "Send feedback" screen
- Add new "SecurID info" screen for RSA soft token users
- Allow changing settings and using other menu options (about, SecurID,
send feedback, etc.) while connected
- Update FAQ and provide some links to relevant XDA posts
v0.81 - 2014/04/06
- Fix potential issue recognizing certificates stored in VPN profiles
created with <= v0.7
v0.8 - 2014/04/02
- Fix hangs after reconnect if DTLS is disabled
- Fix incorrect storage of PKCS#12 certificates
- Remove unnecessary passphrase prompts on unencrypted certificates
- Add a workaround for ASA certificate request quirks
- Fix FC when attempting to import an OpenVPN profile
v0.7 - 2014/03/08
- Update GnuTLS to address CVE-2014-0092
- Fix FC and other misbehavior on IPv6 connections
- Update to libopenconnect 5.99+
- Fix/delete several broken translations
- Minor improvements to the auth form UI
- Switch curl from OpenSSL to GnuTLS and remove advertising clauses
v0.6 - 2014/02/09
- First release in Google Play Store
- Change to new "big O" launcher icon
- Avoid displaying error alerts if the user terminated the connection
- Try to make the libopenconnect build process more robust, and strip *.so
files to conserve space
v0.5 - 2014/02/01
- Fix "living dead" connections (can't pass data after reconnection due to
DTLS parameter mismatches)
- Add FAQ tab in response to user feedback
- Move log window into a tab
- Reorganize action bar so that the most important items (Status/Log/FAQ)
are tabs, and less important items (Settings/About) are in the menu
- Fix KeepAlive socket errors on KitKat devices
- Other UI and documentation fixes
- Add split tunnel configuration options
- Improve icons
v0.2 - 2014/01/18
- Allow SecurID token import via URI or text file
- Newly reworked "status" tab with uptime, error alerts, IP addresses,
etc.
- Fix a couple of bugs involving screen rotation / activity redraw on
the log window
- Prompt for hostname instead of profile name when adding a new VPN, to
help avoid "empty hostname" mistakes
- Numerous other UI improvements and fixes
- Remove "reconnect on boot" until it works properly
- Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"
Click to expand...
Click to collapse
FAQ
Q: What is this app used for?
A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.
If in doubt, check with your I.T. administrator to see if a suitable service is available.
Q: How do I get started?
A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.
Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.
Q: How do I authenticate using an SSL client certificate?
A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:
P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.
Single PEM/CRT/CER file: same as above.
Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.
When finished, delete the certificate files from external storage so they cannot be stolen by other apps.
If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.
Q: Will OpenConnect work with non-AnyConnect VPNs?
A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.
Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?
A: OpenConnect supports SSL VPN (CSTP + DTLS) only.
Q: How do I import a SecurID software token?
A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.
If you have an "sdtid" XML file, copy it to /sdcard and then import it.
Q: Is it possible to skip all login prompts when connecting?
A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.
The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.
Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.
Q: How do I improve battery life while the VPN is up?
A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.
Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.
Q: How do I use OpenConnect with AFWall+?
A: There are a few caveats to keep in mind when using an Android firewall with VPN:
* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.
Q: Are any apps incompatible with VPN?
A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.
Q: Under what circumstances will OpenConnect request root?
A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.
Based on user feedback and testing, future releases may autodetect these conditions.
Q: How do I send a problem report?
A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.
Click to expand...
Click to collapse
TODO
Translations - I will set up the necessary infrastructure if there are volunteers
Compatibility testing
Add x509 certificate parsing/validation in the profile editor
Enable Android keystore support
Proxy support
Split tunnel DNS?
Click to expand...
Click to collapse
MISC
Using OpenConnect + ocserv (on a VPS) to bypass China's Great Firewall (GFW): link
XDA:DevDB Information
OpenConnect, App for the Android General
Contributors
cernekee
Source Code: https://github.com/cernekee/ics-openconnect
Version Information
Status: Testing
Created 2014-01-18
Last Updated 2015-02-21
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
msm88now said:
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
Click to expand...
Click to collapse
Sometimes an MTU or TCP MSS problem could cause this symptom. What kind of gateway are you connecting to? Are you the admininstrator?
Older versions of KitKat did have an MSS problem; I think 4.4.1+ is OK: https://code.google.com/p/android/issues/detail?id=61948
There are a few other outstanding problems on <= 4.4.2: http://www.androidpolice.com/2014/0...n-routing-fixes-are-planned-for-some-of-them/
Do you see the same problem connecting from other systems, like a Windows PC, or even the Cisco AnyConnect Android app?
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide. that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
msm88now said:
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide.
Click to expand...
Click to collapse
I don't see this university's VPN requesting a certificate (i.e. SSL client cert). It just asks for a group/username/password.
Are you getting an error that says that the gateway is not licensed for mobile, after you enter your password?
that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)
any suggestions please???
Click to expand...
Click to collapse
Can you grab a packet capture when you're seeing the connectivity failures, and email me the result? e.g.
Code:
adb push tcpdump /data/local/tmp
adb shell
cd /data/local/tmp
su
chmod 755 tcpdump
./tcpdump -n -i tun0 -w out.pcap
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
that's way I'm using smoothconnect and now openconnect on my both andriod phones.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
did I explain my problem clearly? is it an Ipv6 problem? I'm really confused and frustrated
msm88now said:
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
Click to expand...
Click to collapse
OK. This is because the Cisco mobile clients look for an "X-CSTP-License: accept" header from the gateway after authenticating, to see if the operator has paid extra to support the Cisco mobile client. libopenconnect-based clients (including SmoothConnect) do not require this header.
now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
Click to expand...
Click to collapse
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
cernekee said:
I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
Click to expand...
Click to collapse
Hi,
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
msm88now said:
I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
Click to expand...
Click to collapse
Do you have a friend who is familiar with ADB, rooting phones, etc. who might be able to help out in person?
You could also try something like Shark for Root, or follow this video. Make sure you capture on the tun0 interface so that we can see what is happening on the VPN tunnel. If you capture from the wifi interface you'll still see traffic, but everything will be encrypted so it will not be possible to diagnose the failure.
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
msm88now said:
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
Click to expand...
Click to collapse
According to this trace (partial screenshot attached), the Note 3 is advertising an MSS of 1460 bytes on IPv4 TCP connections. This looks abnormally high for a VPN interface; the other direction is using an MSS of 1380, which looks more realistic. The MSS for IPv4 would normally be the tun0 MTU minus 40 bytes. I am assuming this means the MSS is being computed from the 1500-byte wlan0/eth0 MTU, not the smaller tun0 MTU.
When Google fixed the MSS bug in Android 4.4.1, they left the following comments in the changelog:
Code:
commit ca5b4e8d0d8219273ecf0961ed6e8c47ab5d798a
Author: JP Abgrall <[email protected]>
Date: Wed Nov 20 17:27:01 2013 -0800
SecondaryTableController: force the MSS to match pmtu on TCP SYN
Without this change, the VPN sets up a tun/ppp that needs a small
MTU, and during TCP SYN the MSS will end up matching the outgoing iface
MTU which is potentially too big.
This leads to connection flakiness. The wrong MSS is visible by
tcpdump-ing on the tun/ppp device.
With this change, the MSS now is correct.
[b]It requires the kernel to be configured with
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
If kernel is not configured, it silently fails.[/b]
Bug: 11579326
Change-Id: I254d8c39435b92dff91931e461e1efb8b35f6b1e
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2), but the kernel may be missing the TCPMSS target. If you see an error when running this command as root, it probably means that kernel support is missing:
Code:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
cernekee;
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2) said:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
[/code]
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).
I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.
If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
Click to expand...
Click to collapse
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
msm88now said:
as you can see in the attachment I applied the code with no error message. so in this case I assume I have no problem with the kernel? right?
then what causes the problem? and what can I do in order to solve it?
Click to expand...
Click to collapse
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Code:
su
iptables -t mangle -nxvL
cernekee said:
Can you connect to the VPN, try to access a few "bad" sites, and then post the full output from:
Click to expand...
Click to collapse
here is the output after some bad sites access, I also repeated the provisos code during an openconnect session. hope it will help us.
msm88now said:
here is the output after some bad sites access
Click to expand...
Click to collapse
Hmm, on my KitKat device I have an st_mangle_POSTROUTING chain which does the TCPMSS clamping:
Code:
Chain st_mangle_POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * tun0 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
I did not see this in your output. Maybe Samsung is using an outdated version of netd.
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
Code:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
If not, post the new "iptables -t mangle -nxvL" output so we can look at the traffic counters.
Also can you attach your /system/bin/netd binary?
Thanks.
cernekee;
Try running this command as root after bringing up the VPN and see if you are able to pass traffic with the bad sites:
[code said:
iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Click to expand...
Click to collapse
are kidding me!! it really worked. after I run the the code I tried to access all the bad sites and all of them worked!! but not as fast as my other mobil SG2. I noticed that it takes noticably much longer to access them. but still, It worked and It's fantastic!!
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly? despite the re-entering issue I'm very happy that I finally can use internet on my note3 again thanks to you cernekee.
msm88now said:
any ways, I rebooted my note3 to see if it will work again but it turned out it didn't! I need to re-enter the code again to make it work. now could you tell me what is my phones problem exactly?
Click to expand...
Click to collapse
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
cernekee said:
The ROM is supposed to add that rule automatically, but it doesn't.
If you attach your /system/bin/netd binary and output from "getprop" I'll try to figure out why.
Click to expand...
Click to collapse
here I attached them.
I posted a problem report on Samsung's support forum:
http://developer.samsung.com/forum/...&messageId=259244&listLines=15&startId=zzzzz~
Works like a charm with the lastest Slimkat on Nexus 4. Thanks a lot !
Just add a widget to one click connect from the launcher and it will be the best VPN apps that I've use.
Today I've a Tasker task to launch Anyconnect with uri and simulate touchs screen to automate my connection.
@ edit :
Is there a way to don't have the attached screen ?
Network Host Monitor is a tool to monitor availability of servers, routers, sites, blogs, etc. You just need to specify the address (URL or IP), set the type (Ping, GET) and the interval for checking.
This application supports various check types: TCP Ping and ICMP Echo, HTTP Get and running custom remote scripts. In last case tool can check answer for a specified word or phrase. HTTP Head request (for code 200) also supported.
Host Monitor interface supports notifications, widget, sound and LED indication. You can specify alert condition - e.g. always, or only if errors, or if status changed, etc. App can save, show and export logs in various formats, and provides statistics feature.
Tool interface supports both phone and tablet modes. You can set preferred layout mode in preferences.
List of major features:
Checking through host resolve, console ping, HTTP GET or HEAD requests
Customizable notifications, and rich preferences/settings
Widget with last check results
Support of unlimited number of hosts/sites
Setting checking interval between 5 minutes to 6 hours
Advanced logging with ability to export logs to text or csv
Logs statistics feature
Auto run on device restart
Optimized interface layouts for both phone and tablet
Ability to run console ping on devices with this function is locked (but root is required)
I think, it's a useful thing, especially for webmasters and network administrators.
Get it from Google play: https://play.google.com/store/apps/details?id=net.snkey.networkhostmonitor
Please feel free to post all issues and feature requests here.
Update to version 1.9 released!
That's new:
added hosts export/import
tap on widget now runs application
improved graphics for logs view
added feedback menu
Install from Google play
Now version 2.2 released.
New features:
- added ability to set pause
- added ability to set description-based host list
- material design support for Android 5.0+
- workaround for notifications: expanded view in and hi priority in 4.1+, added custom colors for 5.0+
- multiple exit requests fixed
- few minor fixes and improvements
>TRACKERS< apk static analysis was already available, on android, with AddonsDetectors ; thanks to non-profit εxodus, we have an open source, multi-platform tool, to analyze embedded trackers in apk, on android & PCs, using dexdump.
With it, Rom-developers can scan their already built apps, like webview or Turbo (DeviceHealthServices Google LLC), to countercheck their 'integrity'.
Analysis is based on cross examination of εxodusJSON & dexdump*apk. On android, dexdump can be found in /system/bin https://exodus-privacy.eu.org/media/static_analysis.png
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
For Playstore installed apps only , you can straight use open-source εxodus.apk https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy, or directly query online.
On Android, check pilot apk ClassyShark3xodus.apk to cross-analyze classes with 361 Exodus' trackers; LongPress touch, on "launch-able (via icons)" packages_list, displays all full classes.
: added unique permission READ_EXTERNAL_STORAGE to scan *.apk, including ones not yet installed with any FileManager.
: included app_PackagesInfo.apk to scan ALL installed packages (via 2°screen/3dots)
: simple mime +fastscroll +icons
: sub-stats via About/3dots
: sharedUserid and permission.READ_LOGS detection
: search & basic quickToggle switch option
Click to expand...
Click to collapse
Edit : NOW ON F-Droid https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/
Press on class to get synthetic viewer.
No internet required + zero permissions !
KitKat: due to missing getCodeCacheDir()/api21 ClassySharks can crash after multiple successive attempts
Click to expand...
Click to collapse
On PCs with python3 (&virtualenv), check exodus-standalone to scan any kind of apps package: *apk.
Otherwise with bash (& attached aapt-dexdump_Linux64.tar.gz with lib64/libc++.so) and working grep -P (pcre) you can also perform any apk like (latest Playstore) firefox61.0.2:
./dexdump firefox.apk | grep "Class descriptor" | sed 's/ Class descriptor : //' | grep / | sed 's/\//./g' |sort | uniq > tt.txt
curl -s https://reports.exodus-privacy.eu.org/api/trackers | grep -Po '"code_signature":.*?[^\\]",' | sed 's/"code_signature": //' | sed 's/"",/".",/' | sed 's/|/",\n"/g' | sed 's/"//' | sed 's/",//' | sort | uniq | sed -n '1!p' | xargs -I {} grep {} tt.txt
or simply use attached today signatures :
cat signatures20182408.txt | xargs -I {} grep {} tt.txt
To get more info on apk :
./aapt d badging firefox.apk
On android copy firefox.apk on sdcard
cd sdcard && curl32 -s https://reports.exodus-privacy.eu.org/api/trackers | grep64 --buffer-size=10000K -o '"code_signature":.*?[^\\]",' | sed 's/"code_signature": //' | sed 's/"",/".",/' | sed 's/|/",\n"/g' | sed 's/"//' | sed 's/",//' | sort | uniq | sed -n '1!p' > signatures.txt
--> code signature of these trackers in firefox
Code:
Adjust...com.adjust.sdk. *41
Google Analytics...com.google.android.gms.analytics. *112
Google Firebase Analytics...com.google.android.gms.measurement. *125
LeanPlum...com.leanplum. *262
[εxodus-STANDALONE: python exodus_analyze.py firefox.apk]
Code:
=== Information
- APK path: firefox.apk
- APK sum: 31ca22d9977f14b0cf13fa0075ac2acc96070491086498819f1c9adbf92223a8
- App version: 61.0.2
- App version code: 2015574793
- App UID: 0992532694558859C09D4071243035F6FE5A20EC
- App name: Firefox
- App package: org.mozilla.firefox
- App permissions: 32
- android.permission.GET_ACCOUNTS
- android.permission.ACCESS_NETWORK_STATE
- android.permission.MANAGE_ACCOUNTS
- android.permission.USE_CREDENTIALS
- android.permission.AUTHENTICATE_ACCOUNTS
- android.permission.WRITE_SYNC_SETTINGS
- android.permission.WRITE_SETTINGS
- android.permission.READ_SYNC_STATS
- android.permission.READ_SYNC_SETTINGS
- org.mozilla.firefox_fxaccount.permission.PER_ACCOUNT_TYPE
- com.google.android.c2dm.permission.RECEIVE
- org.mozilla.firefox.permission.C2D_MESSAGE
- com.samsung.android.providers.context.permission.WRITE_USE_APP_FEATURE_SURVEY
- android.permission.CHANGE_WIFI_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.ACCESS_FINE_LOCATION
- android.permission.ACCESS_NETWORK_STATE
- android.permission.INTERNET
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.WRITE_EXTERNAL_STORAGE
- com.android.launcher.permission.INSTALL_SHORTCUT
- com.android.launcher.permission.UNINSTALL_SHORTCUT
- com.android.browser.permission.READ_HISTORY_BOOKMARKS
- android.permission.WAKE_LOCK
- android.permission.VIBRATE
- android.permission.DOWNLOAD_WITHOUT_NOTIFICATION
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.NFC
- android.permission.RECORD_AUDIO
- android.permission.CAMERA
- Certificates: 1
- Issuer: countryName=US, stateOrProvinceName=California, localityName=Mountain View, organizationName=Mozilla Corporation, organizationalUnitName=Release Engineering, commonName=Release Engineering
Subject: countryName=US, stateOrProvinceName=California, localityName=Mountain View, organizationName=Mozilla Corporation, organizationalUnitName=Release Engineering, commonName=Release Engineering
Fingerprint: 920f4876a6a57b4a6a2f4ccaf65f7d29ce26ff2c
Serial: 1282604424
=== Found trackers: 4
- Google Firebase Analytics
- LeanPlum
- Google Analytics
- Adjust
./aapt d badging firefox.apk
Code:
package: name='org.mozilla.firefox' versionCode='2015574793' versionName='61.0.2' platformBuildVersionName=''
install-location:'internalOnly'
sdkVersion:'16'
targetSdkVersion:'23'
uses-permission: name='android.permission.GET_ACCOUNTS'
uses-permission: name='android.permission.ACCESS_NETWORK_STATE'
uses-permission: name='android.permission.MANAGE_ACCOUNTS'
uses-permission: name='android.permission.USE_CREDENTIALS'
uses-permission: name='android.permission.AUTHENTICATE_ACCOUNTS'
uses-permission: name='android.permission.WRITE_SYNC_SETTINGS'
uses-permission: name='android.permission.WRITE_SETTINGS'
uses-permission: name='android.permission.READ_SYNC_STATS'
uses-permission: name='android.permission.READ_SYNC_SETTINGS'
uses-permission: name='org.mozilla.firefox_fxaccount.permission.PER_ACCOUNT_TYPE'
uses-permission: name='com.google.android.c2dm.permission.RECEIVE'
uses-permission: name='org.mozilla.firefox.permission.C2D_MESSAGE'
uses-permission: name='com.samsung.android.providers.context.permission.WRITE_USE_APP_FEATURE_SURVEY'
uses-permission: name='android.permission.CHANGE_WIFI_STATE'
uses-permission: name='android.permission.ACCESS_WIFI_STATE'
uses-permission: name='android.permission.ACCESS_COARSE_LOCATION'
uses-permission: name='android.permission.ACCESS_FINE_LOCATION'
uses-permission: name='android.permission.ACCESS_NETWORK_STATE'
uses-permission: name='android.permission.INTERNET'
uses-permission: name='android.permission.RECEIVE_BOOT_COMPLETED'
uses-permission: name='android.permission.READ_EXTERNAL_STORAGE'
uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE'
uses-permission: name='com.android.launcher.permission.INSTALL_SHORTCUT'
uses-permission: name='com.android.launcher.permission.UNINSTALL_SHORTCUT'
uses-permission: name='com.android.browser.permission.READ_HISTORY_BOOKMARKS'
uses-permission: name='android.permission.WAKE_LOCK'
uses-permission: name='android.permission.VIBRATE'
uses-permission: name='android.permission.DOWNLOAD_WITHOUT_NOTIFICATION'
uses-permission: name='android.permission.SYSTEM_ALERT_WINDOW'
uses-permission: name='android.permission.NFC'
uses-permission: name='android.permission.RECORD_AUDIO'
uses-permission: name='android.permission.CAMERA'
application-label:'Firefox'
application-label-af:'Firefox'
application-label-am:'Firefox'
application-label-an:'Firefox'
application-label-ar:'Firefox'
application-label-as:'Firefox'
application-label-ast:'Firefox'
application-label-az:'Firefox'
application-label-az-AZ:'Firefox'
application-label-be:'Firefox'
application-label-bg:'Firefox'
application-label-bn-BD:'Firefox'
application-label-bn-IN:'Firefox'
application-label-br:'Firefox'
application-label-bs:'Firefox'
application-label-ca:'Firefox'
application-label-cak:'Firefox'
application-label-cs:'Firefox'
application-label-cy:'Firefox'
application-label-da:'Firefox'
application-label-de:'Firefox'
application-label-dsb:'Firefox'
application-label-el:'Firefox'
application-label-en-AU:'Firefox'
application-label-en-GB:'Firefox'
application-label-en-IN:'Firefox'
application-label-en-ZA:'Firefox'
application-label-eo:'Firefox'
application-label-es:'Firefox'
application-label-es-AR:'Firefox'
application-label-es-CL:'Firefox'
application-label-es-ES:'Firefox'
application-label-es-MX:'Firefox'
application-label-es-US:'Firefox'
application-label-et:'Firefox'
application-label-et-EE:'Firefox'
application-label-eu:'Firefox'
application-label-eu-ES:'Firefox'
application-label-fa:'Firefox'
application-label-ff:'Firefox'
application-label-fi:'Firefox'
application-label-fr:'Firefox'
application-label-fr-CA:'Firefox'
application-label-fy-NL:'Firefox'
application-label-ga-IE:'Firefox'
application-label-gd:'Firefox'
application-label-gl:'Firefox'
application-label-gl-ES:'Firefox'
application-label-gn:'Firefox'
application-label-gu-IN:'Firefox'
application-label-hi:'Firefox'
application-label-hi-IN:'Firefox'
application-label-hr:'Firefox'
application-label-hsb:'Firefox'
application-label-hu:'Firefox'
application-label-hy-AM:'Firefox'
application-label-in:'Firefox'
application-label-is:'Firefox'
application-label-is-IS:'Firefox'
application-label-it:'Firefox'
application-label-iw:'Firefox'
application-label-ja:'Firefox'
application-label-ka:'Firefox'
application-label-ka-GE:'Firefox'
application-label-kab:'Firefox'
application-label-kk:'Firefox'
application-label-kk-KZ:'Firefox'
application-label-km-KH:'Firefox'
application-label-kn:'Firefox'
application-label-kn-IN:'Firefox'
application-label-ko:'Firefox'
application-label-ky-KG:'Firefox'
application-label-lo:'Firefox'
application-label-lo-LA:'Firefox'
application-label-lt:'Firefox'
application-label-lv:'Firefox'
application-label-mai:'Firefox'
application-label-mk-MK:'Firefox'
application-label-ml:'Firefox'
application-label-ml-IN:'Firefox'
application-label-mn-MN:'Firefox'
application-label-mr:'Firefox'
application-label-mr-IN:'Firefox'
application-label-ms:'Firefox'
application-label-ms-MY:'Firefox'
application-label-my:'Firefox'
application-label-my-MM:'Firefox'
application-label-nb:'Firefox'
application-label-nb-NO:'Firefox'
application-label-ne-NP:'Firefox'
application-label-nl:'Firefox'
application-label-nn-NO:'Firefox'
application-label-oc:'Firefox'
application-label-or:'Firefox'
application-label-pa-IN:'Firefox'
application-label-pl:'Firefox'
application-label-pt:'Firefox'
application-label-pt-BR:'Firefox'
application-label-pt-PT:'Firefox'
application-label-rm:'Firefox'
application-label-ro:'Firefox'
application-label-ru:'Firefox'
application-label-si-LK:'Firefox'
application-label-sk:'Firefox'
application-label-sl:'Firefox'
application-label-son:'Firefox'
application-label-sq:'Firefox'
application-label-sq-AL:'Firefox'
application-label-sr:'Firefox'
application-label-sv:'Firefox'
application-label-sv-SE:'Firefox'
application-label-sw:'Firefox'
application-label-ta:'Firefox'
application-label-ta-IN:'Firefox'
application-label-te:'Firefox'
application-label-te-IN:'Firefox'
application-label-th:'Firefox'
application-label-tl:'Firefox'
application-label-tr:'Firefox'
application-label-trs:'Firefox'
application-label-uk:'Firefox'
application-label-ur:'Firefox'
application-label-ur-PK:'Firefox'
application-label-uz:'Firefox'
application-label-uz-UZ:'Firefox'
application-label-vi:'Firefox'
application-label-wo:'Firefox'
application-label-xh:'Firefox'
application-label-zam:'Firefox'
application-label-zh-CN:'Firefox'
application-label-zh-HK:'Firefox'
application-label-zh-TW:'Firefox'
application-label-zu:'Firefox'
application-icon-160:'res/drawable-hdpi-v4/icon.png'
application-icon-213:'res/drawable-hdpi-v4/icon.png'
application-icon-240:'res/drawable-hdpi-v4/icon.png'
application-icon-320:'res/drawable-xhdpi-v4/icon.png'
application-icon-480:'res/drawable-xxhdpi-v4/icon.png'
application-icon-640:'res/drawable-xxxhdpi-v4/icon.png'
application-icon-65535:'res/drawable-xxxhdpi-v4/icon.png'
application: label='Firefox' icon='res/drawable-hdpi-v4/icon.png'
feature-group: label=''
uses-gl-es: '0x20000'
uses-feature-not-required: name='android.hardware.audio.low_latency'
uses-feature-not-required: name='android.hardware.camera'
uses-feature-not-required: name='android.hardware.camera.any'
uses-feature-not-required: name='android.hardware.camera.autofocus'
uses-feature-not-required: name='android.hardware.location'
uses-feature-not-required: name='android.hardware.location.gps'
uses-feature-not-required: name='android.hardware.microphone'
uses-feature-not-required: name='android.hardware.nfc'
uses-feature: name='android.hardware.touchscreen'
uses-feature: name='android.hardware.wifi'
uses-implied-feature: name='android.hardware.wifi' reason='requested android.permission.ACCESS_WIFI_STATE permission, and requested android.permission.CHANGE_WIFI_STATE permission'
main
other-activities
other-receivers
other-services
supports-screens: 'small' 'normal' 'large' 'xlarge'
supports-any-density: 'true'
locales: '--_--' 'af' 'am' 'an' 'ar' 'as' 'ast' 'az' 'az-AZ' 'be' 'bg' 'bn-BD' 'bn-IN' 'br' 'bs' 'ca' 'cak' 'cs' 'cy' 'da' 'de' 'dsb' 'el' 'en-AU' 'en-GB' 'en-IN' 'en-ZA' 'eo' 'es' 'es-AR' 'es-CL' 'es-ES' 'es-MX' 'es-US' 'et' 'et-EE' 'eu' 'eu-ES' 'fa' 'ff' 'fi' 'fr' 'fr-CA' 'fy-NL' 'ga-IE' 'gd' 'gl' 'gl-ES' 'gn' 'gu-IN' 'hi' 'hi-IN' 'hr' 'hsb' 'hu' 'hy-AM' 'in' 'is' 'is-IS' 'it' 'iw' 'ja' 'ka' 'ka-GE' 'kab' 'kk' 'kk-KZ' 'km-KH' 'kn' 'kn-IN' 'ko' 'ky-KG' 'lo' 'lo-LA' 'lt' 'lv' 'mai' 'mk-MK' 'ml' 'ml-IN' 'mn-MN' 'mr' 'mr-IN' 'ms' 'ms-MY' 'my' 'my-MM' 'nb' 'nb-NO' 'ne-NP' 'nl' 'nn-NO' 'oc' 'or' 'pa-IN' 'pl' 'pt' 'pt-BR' 'pt-PT' 'rm' 'ro' 'ru' 'si-LK' 'sk' 'sl' 'son' 'sq' 'sq-AL' 'sr' 'sv' 'sv-SE' 'sw' 'ta' 'ta-IN' 'te' 'te-IN' 'th' 'tl' 'tr' 'trs' 'uk' 'ur' 'ur-PK' 'uz' 'uz-UZ' 'vi' 'wo' 'xh' 'zam' 'zh-CN' 'zh-HK' 'zh-TW' 'zu'
densities: '160' '213' '240' '320' '480' '640' '65535'
native-code: 'armeabi-v7a'
For odex /system packages; check
-PC: {baksmali list classes} on *.odex or {dextra} on *.vdex http://newandroidbook.com/tools/dextra.html
-android: {oatdump --oat-file=} on *.odex
For android check attached Magisk systemless module with aapt32 curl32 (curl 7.43.0-DEV Android 6.0.1 armv7-a-neon) and grep64 (pcre2grep version 10.22 2016-07-29)
More info for: "tracking software on smartphones" https://theintercept.com/2017/11/24...stine-trackers-found-in-popular-android-apps/
Related tools: https://github.com/ashishb/android-security-awesome
So you make this app now on fdroid? Could there be a way to have it also display all classes not already defined.
Like, 2 options:
1- show classes detected by Exodus signatures
2-
show classes not detected by Exodus signatures
and not com.android.*
and not com.google.*
and not com.firstpartypackage.*
And then a search option
That would be like a way to find new stuff.
Oh, and another complementary tool you might be interested in is called Dexplorer
https://play.google.com/store/apps/details?id=com.dexplorer
I love that you made this. It's raw output and styling gives a feel that "I'm analyzing something" and "wow! Look at all of that crap!"
The only thing I might change on the branding is the icon and name. The only reason I recognized it was because it had Exodus in the name. Maybe 10 other people in the world would make that connection. Just an opinion.
Or give it a snazzy tagline like "The World Famous Zuckerberg NSA Cryptominer Detector- GDPR Edition". That will turn heads.
Thanks!
ClassySharkExodus upgrade to latest ExodusPrivacy database is on the go on F-Droid: 202
More info https://gitlab.com/oF2pks/3xodusprivacy-toolbox
LongPress gives access to all classes.
jawz101 said:
...
show classes not detected by Exodus signatures
...
And then a search option
...
Click to expand...
Click to collapse
For xda Only, attached in first post is edition with search option; also attached is app_PackagesInfo which includes additional full scan option (plus sorted permissions, with '=3' when granted). I will finalize these cosmetics on F-Droid later.
@jawz101 , btw; Etip Exodus wip database is now accessible: https://etip.exodus-privacy.eu.org/trackers/export , thx for your previous extractions.
EDIT : added basic quick Toggle to switch between full & Exodus classes list without recalculation.
Just discovered this on fdroid. Cool app
Hello
ClassyShark3xodus conflicts with PackageInstaller when opening an APK. It asks every time if I want to open with PackageInstaller or ClassyShark3xodus even though I choose Always for PackageInstaller. There are no defaults set for ClassyShark3xodus and defaults are set for PackageInstaller.
I'm using ClassyShark3xodus 1.0-7 from F-Droid on my OnePlus 7 Pro (see sig).
yochananmarqos said:
ClassyShark3xodus conflicts with PackageInstaller when opening an APK. It asks every time if I want to open with PackageInstaller or ClassyShark3xodus even though I choose Always for PackageInstaller. There are no defaults set for ClassyShark3xodus and defaults are set for PackageInstaller.
I'm using ClassyShark3xodus 1.0-7 from F-Droid on my OnePlus 7 Pro (see sig).
Click to expand...
Click to collapse
For the conflict, it is solely related to manifest intent declaration : https://bitbucket.org/oF2pks/fdroid...oid/app/src/main/AndroidManifest.xml#lines-34.
Uninstall ClassyShark and try F-Droid safe Stanley app (same process intent) to countercheck your PackageInstaller behaviour.
If you don't have Magisk installed, then it looks like a bug in Oneplus rom: ClassyShark (& Stanley) doesn't use any privileged rights (conversely to PackageInstaller) nor su; I suggest a bug report on Oneplus forum (?).
With Magisk "remounts", it's possible PackageInstaller get loose : give a try to foss GhostCommander to check what happens with [OpenWith] .apk option and PackageInstaller selected.
btw I wish you could post on xda the json of OP7pro from my deviceInfos fdroid app https://forum.xda-developers.com/android/apps-games/appfoss-googleserviceframework-gsf-t3849908 ; so I could see OP7pro generics (they are no private infos in the json).
oF2pks said:
For the conflict, it is solely related to manifest intent declaration : https://bitbucket.org/oF2pks/fdroid...oid/app/src/main/AndroidManifest.xml#lines-34.
Uninstall ClassyShark and try F-Droid safe Stanley app (same process intent) to countercheck your PackageInstaller behaviour.
If you don't have Magisk installed, then it looks like a bug in Oneplus rom: ClassyShark (& Stanley) doesn't use any privileged rights (conversely to PackageInstaller) nor su; I suggest a bug report on Oneplus forum (?).
With Magisk "remounts", it's possible PackageInstaller get loose : give a try to foss GhostCommander to check what happens with [OpenWith] .apk option and PackageInstaller selected.
btw I wish you could post on xda the json of OP7pro from my deviceInfos fdroid app https://forum.xda-developers.com/android/apps-games/appfoss-googleserviceframework-gsf-t3849908 ; so I could see OP7pro generics (they are no private infos in the json).
Click to expand...
Click to collapse
No, I don't have Magisk installed. I'm waiting on my unlock code.
I attached the json file from Kaltura.
yochananmarqos said:
No, I don't have Magisk installed. I'm waiting on my unlock code.
I attached the json file from Kaltura.
Click to expand...
Click to collapse
(thx for json, I wish more xda users could throw their json so I could update the app: initially, I thought xda could be interested to settle a global coherent central database (for forums headers ? @MikeChannon ) to help cross-development through similar devices (OEM kernel , soc ...)).
I have uploaded new softened ClassyShark3xodus(202) in post#1 ; normally Oneplus PackageInstaller.apk should use this in manifest:
<intent-filter android:priority="1-99"><action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.INSTALL_PACKAGE" /><category android:name="android.intent.category.DEFAULT" /> <data android:scheme="content" /><data android:scheme="file" /><data android:mimeType="application/vnd.android.package-archive" /></intent-filter>
you can check apk's manifest.xml (and many more...) with attached app_PackagesInfo-debug13.apk.
NEW in xda/debug post#1:
ClassyShark3xodus : file sha256 (as shown in fdroid' index.xml)
app_PackagesInfo : signature decryption cert with sha1/256
Awesome project, please keep it up! Exodus is good, but too slow to run from phone, and it only works with apps from PlayStore. Regards.
Suggestions
I'm poking through the apps on my system, but it took me a while to find the legend; I expected the first menu item to be a list of supported trackers, not a general about popup. Having looked at it for a while now, I've got a large number of comments regarding issues, usability, style, observations, suggestions, etc. Most of them are fairly minor, just renaming menu items and small tweaks for usability, but some documentation is needed in-app.
rename menu item to 'about'
move legend to its own menu item (Related: 1, 2, 11, 14)
format the legend text so it appears the same as the items in the main screen (or use a picture) (Related: 2, 11, 14)
change the urls in the about menu to be clickable
don't highlight package names in white, it looks weird
for gray background on system apps, make the entire background (margins/padding) of the outer element gray, not just the text part. Alternatively, just changed the text color.
consider making the popup screen when tapping an app into a horizontally scrollable view; the hashes/fingerprints don't have to break onto a separate line from the label sha256.
add margins to the screen that pops up on tap; after the loading animation goes away, the letters seem to be only 1px from the window edge, there should be a border of at least 5px around the entire window
Changing the sort method should be labeled as such, I didn't know the funny arrow meant sort until I tapped it
The 'super' label in the menu makes no sense. It should be renamed to Permissions or PackageInfo or Trackers or some such, depending on the view.
In PackageInfo view, there should be something to explain the asterisk and snowflake before the permission label, as well as the ^✓ after it. The nulls should be removed. Consider changing this entire section to a table with headers (*, ☸, permission, group, dangerous, instant, privileged, development, appop, preinstalled, etc) with an explanation of exactly what dangerous, development, *, ☸, and other less obvious terms mean, either on-tap or in a legend somewhere. (Related: 14, 2)
When you tap an app, the information should be cached until the app is closed, to prevent waiting for the work to be done again.
PackageInfo and manifest should be exportable (Related: 15, 17)
Legend for the list of trackers symbols (°, ?, ², μ) (Related: 11, 2)
Having a full package explorer is hardly necessary, but it might be nice to be able to unzip the apk to the sdcard for exploring with another app, along with the list of trackers found in the app and the list of activities, other metadata. (Related: 13, 17)
Firefox Nightly (org.mozilla.fennec_aurora) shows up as having a shared userid, however the package it lists (org.mozilla.fennec.sharedID) doesn't appear to be installed. The other Mozilla apps installed are Klar (org.mozilla.klar), Firefox Lite (org.mozilla.rocket), and Firefox Preview (org.firefox.fenix), none of which are shown as sharing userids.
I can't make selections to copy from various popups to the clipboard. (Related: 13, 15, 16)
After processing an app, save the results for it (more than just #12) until the app is updated.
After processing an app, update the main view; maybe have different symbols or app colors to indicate if an app has been analyzed, and further if any signatures were found.
Yes, it's a long list. Feel free to ignore me, I won't get offended.
New version uploaded: ClassyShark3xodus216-debugSoft.apk with latest Exodus database (216) update and dynamic|☢ androidManifest.xml for primary screen (longclick), 2nd screen will still use static|✇ parser. (more info: https://forum.xda-developers.com/showpost.php?p=80190710&postcount=5798)
@yochananmarqos , this xda edition is softened, can you confirm if working on Oneplus7 without interfering with PackageInstaller.apk ?
App_PackagesInfo is also updated with same manifest dynamic1/static2 behavior.
hi @Efreak2004 , sorry for delay and thank for your interest; here are few I can tell:
-11 In PackageInfo view, there should be something to explain the asterisk and snowflake before the permission label, as well as the ^✓ after it. The nulls should be removed. Consider changing this entire section to a table with headers (*, ☸, permission, group, dangerous, instant, privileged, development, appop, preinstalled, etc) with an explanation of exactly what dangerous, development, *, ☸, and other less obvious terms mean, either on-tap or in a legend somewhere. (Related: 14, 2)
indeed , I have to finalize that with 7#
-12 When you tap an app, the information should be cached until the app is closed, to prevent waiting for the work to be done again.
the app generates extra-huge cache (~Gb): I even decided to use a "brute force" removal of them.
-13 PackageInfo and manifest should be exportable (Related: 15, 17)
use longpress 11#
-14 Legend for the list of trackers symbols (°, ?, ², μ) (Related: 11, 2)
https://gitlab.com/oF2pks/3xodusprivacy-toolbox
° for missing: Amazon new active tracker AWS Kinesis is missing
² for Etip stand-by: Mozilla/Telemetry is now in Etip https://etip.exodus-privacy.eu.org/
µ for micro non-intrusive: Acra;
? when uncertain.
(will be added to menu.)
-15 Having a full package explorer is hardly necessary, but it might be nice to be able to unzip the apk to the sdcard for exploring with another app, along with the list of trackers found in the app and the list of activities, other metadata. (Related: 13, 17)
use apps_packages Infos attached in post #1 or https://f-droid.org/en/packages/com.oF2pks.applicationsinfo/
my idea is also to dub with Chairlock (with root/su possible permission removal and more...). I may add this functionality; Xplore already do that.
-16 Firefox Nightly (org.mozilla.fennec_aurora) shows up as having a shared userid, however the package it lists (org.mozilla.fennec.sharedID) doesn't appear to be installed. The other Mozilla apps installed are Klar (org.mozilla.klar), Firefox Lite (org.mozilla.rocket), and Firefox Preview (org.firefox.fenix), none of which are shown as sharing userids.
this is Mozilla decision : I show these, because permissions can be silently granted to others apps that would use same sharedID; in case of Firefox, sharedID is defined but doesn't seem to be used by any other(?).
-17 I can't make selections to copy from various popups to the clipboard. (Related: 13, 15, 16)
use longpress in SubTotals (others popups are wip 11#)
-18 After processing an app, save the results for it (more than just #12) until the app is updated.
(the app generates extra-huge cache (~Gb): I even use a "brute force" removal of them. ) extensive analysis should be done with dexdump (or other) command https://gitlab.com/oF2pks/3xodusprivacy-toolbox ,
-19 After processing an app, update the main view; maybe have different symbols or app colors to indicate if an app has been analyzed, and further if any signatures were found.
(the app generates extra-huge cache (~Gb): I even use a "brute force" removal of them. ) will never have enough "free" time for that : imho, such behavior should be part of aosp inner rom (omnirom ?).
oF2pks said:
this xda edition is softened, can you confirm if working on Oneplus7 without interfering with PackageInstaller.apk ?
Click to expand...
Click to collapse
Confirmed.
Sent from my OnePlus 7 Pro using XDA Labs
willing to develop App_PackagesInfo further? I'd suggest some simple yet "cool" menu additions: enable/disable app, view in Yalp or Play Market (in addition to F-Droid) and (maybe) stop the app.
And also not so trivial: adding apps lists to save and load just as https://f-droid.org/wiki/page/com.projectsexception.myapplist.open does.
What does it mean if the application name is displayed in orange, and what if in black (most names are black)?
Exodus database new release (eof269)
New soft (no [android:scheme="content"]) build is up in #1st post, Exodus database new release (eof269): 344 (304+40 signatures for 258+34 recensed trackers.)
(this debug edition is now using xdaShark3xodus name since eof236)
CubaoX said:
What does it mean if the application name is displayed in orange, and what if in black (most names are black)?
Click to expand...
Click to collapse
Devs can decide to define/use a common [ShareUserId] for multiple apps (with also same cert); thus permissions declared & granted in one app can be silently acquired in others using that same ShareUserId: these apps with ShareUserId activated, are shown in orange with corresponding string.
General doc is "behind" primary line in 3dots' 1st screen : tap on {344 exoTrackers(292)}.
ildar_prophet said:
willing to develop App_PackagesInfo further? ...
Click to expand...
Click to collapse
@ildar_prophet further improvements will move to Chairlock https://forum.xda-developers.com/android/apps-games/appfoss4-1-chairlock-complete-t3956991
Exodus database new release (eof357)
@SkandaH (@MishaalRahman ) following latest xda#news on appZygote/Selinux, I've uploaded up-to-date ClassyShark3xodus_357 with appZygote service detection : if any, a toast will popup at start & refresh and service name will also be displayed in 2nd screen (apk sub-totals).
post#1: https://forum.xda-developers.com/attachments/classyshark3xodus357-debugsoft-apk.5224635/
Following https://cs.android.com/search?q=FLAG_USE_APP_ZYGOTE , such isolated process is documented in frameworks/base/framework-minus-apex/android_common/xref30/srcjars.xref/com/android/internal/R.java as:
/**
* <p>
* @ attr description
* If true, and this is an {@link android.R.attr#isolatedProcess} service, the service
* will be spawned from an Application Zygote, instead of the regular Zygote.
* <p>
* The Application Zygote will first pre-initialize the application's class loader. Then,
* if the application has defined the {@link android.R.attr#zygotePreloadName} attribute,
* the Application Zygote will call into that class to allow it to perform
* application-specific preloads (such as loading a shared library). Therefore,
* spawning from the Application Zygote will typically reduce the service
* launch time and reduce its memory usage. The downside of using this flag
* is that you will have an additional process (the app zygote itself) that
* is taking up memory. Whether actual memory usage is improved therefore strongly
* depends on the number of isolated services that an application starts,
* and how much memory those services save by preloading and sharing memory with
* the app zygote. Therefore, it is recommended to measure memory usage under
* typical workloads to determine whether it makes sense to use this flag.
*
* <p>May be a boolean value, such as "<code>true</code>" or
* "<code>false</code>".
*
* @ attr name android:useAppZygote
*/
public static final int AndroidManifestService_useAppZygote=18;
/**
(Let me know of any suggestions for upcoming official release on F-Droid.)
@yochananmarqos , I fixed bugs on this xda debug flavor: screen shortcuts and *.apk file direct scanning via GhostCommander/OpenWith (since Manifest is softened...)
Hi, @oF2pks!
Thank you for your ClassyShark3xodus app!
I downloaded it from F-droid, and have been
using it on a Note9/Android 10 & Note20 Ultra/Android 11. It is an awesome utility to find out what apps are doing on your phone!
What are "Permissions: misses" (in the "Super" panel, listed in the three-button menu)?
Thanks!
Exodus database new release (eof422)
New soft (no android:scheme="content") build is up in #1st post, Exodus database new release (eof422): 528+34 signatures for 403+31 identified trackers.
Nota: you have to uninstall previous xda debug flavor due to signature change for it, in AndroidStudio (_ArticFox ?).
jsusang said:
...What are "Permissions: misses" (in the "Super" panel, listed in the three-button menu)?
...
Click to expand...
Click to collapse
These are declared permissions in an apk that are missing on your device for both global framework-res.apk (Android) & all other installed apps.
As example, on android11, Playstore (com.android.vending) will miss android.permission.BLUETOOTH_SCAN which only appears in android12/framework-res.apk (like ~17 new others in API level 31)
Some can also miss because of deprecation like android.permission.ACCESS_SUPERUSER.
As for "Permissions: duplicates", be aware the result depends on the active filter: only relevant when Permissions are sorted by Name...
Hi, @oF2pks!
When I open Classyshark (https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/), this toast message appears from AppZygote:
Code:
appZygote:
com.android.chromeorg.chromium.content.app.SandboxedProcessService0
I have a Samsung smartphone with Android 11.
What is the meaning of this warning? Did I install an hacked apk? Did I get a malware or something like that? I downloaded it from f-droid.
Utility for background calibration, curation and tuning of the device towards an intuitive interface.
Subsystems being battery, entropy, encryption, disk, cpu, memory, filesystem, ui, scheduler, and network, all safe and open source technology.
Presented in this educational gaming metric format with infinite feedback and an interestingly assymetric chance. scribble anywhere, check in some stress, or find the 8!
waut.ch! does one hope to receive from this?
Well, increasing degrees and amounts of a certain "Je ne sais quoi" or responsiveness from the user interface for a start. Better battery life perhaps. Better quality of life, maybe.
And waut.ch! can only perhaps be described as "A qualified quantification of the placebo effect"
waut.ch! might benefit from this?
In the Android device space:
Designers
Users
Manufacturers
Recyclers
Developers
Compilers
Support personnel
OEMs
The Friendly Neighborhood Nerd/Technician.
“Make the most of yourself....for waut.ch! is all there is of you.” - Ralph Waldo Emerson ( paraphrase )
All along the waut.ch! tower - Bob Dylan
waut.ch! - Sometimes used in some colloquium as "watch!", keen upon reducing the TDP of mobile devices to 1.0 watt!
ARM variants of Android only Donut 1.6+
Please uninstall either Seeder or CrossBreeder prior to using this.
Root recommended, else reactivity metric is interesting and introduces uniqueness into the entropy pool anyway. Metric may demonstrate a certain asymmetry that is expected from predictable human actions. Efforts have been made to remove time seed logic from haveged in order to improve upon encryption and system-wide performance and security.
Also numerous other subsystems require careful calibration to facilitate this process.
Rewritten code, subset of functionality for upstream project - CrossBreeder ( https://forum.xda-developers.com/showthread.php?t=2113150 )
Please feel free to view and analyze source and functionality and report bugs and discuss etc on the XDA forum:
( https://forum.xda-developers.com/android/apps-games/app-waut-ch-calibration-android-t3549967 )
Google Play store:
( https://play.google.com/store/apps/details?id=ch.waut )
Please visit: /data/data/ch.waut/files/bin on the device itself for partial shell source code and XDA Downloads section and Github for full source code.
Reboot at convenience liberally or sparingly to reseed the entropy pool or as is known in common parlance, for good luck!
Thanks.
Havged source code:
https://github.com/Openand-I/haveged
Adhoc Payment URL to support development efforts : https://paypal.me/openand/10
Frappe ( "free-paid" ) same-version to support development efforts : http://waut.ch
Custom haveged source code as used in this piece of software: https://github.com/Openand-I/haveged
=====
Version Name: 59a6333e-9ed9-43f8-8dad-51ed46c17e28
cb.sh: cache pressure - 500
cb_io.sh: read_ahead - 0
cb_io.sh: nr_requests - 0
$ md5sum *.apk
661c30b02b2321300624af98feaa5bad *145-waut.ch.apk
661c30b02b2321300624af98feaa5bad *oi.apk
$ sha256sum *.apk
6d23b8da87dc5516583a55a3203c9f5068ea8fe8765ece489080ef663c8aee15 *145-waut.ch.apk
6d23b8da87dc5516583a55a3203c9f5068ea8fe8765ece489080ef663c8aee15 *oi.apk
https://github.com/Openand-I/haveged
https://github.com/openand-inc/waut.ch
https://forum.xda-developers.com/devdb/project/?id=19218#downloads
https://forum.xda-developers.com/android/general/app-waut-ch-calibration-android-version-t3858365
https://github.com/openand-inc/waut.ch/raw/master/oi.apk
https://github.com/openand-inc/waut.ch/raw/master/145-waut.ch.apk
------------------
Recommended:
- ntp: automatic system time update from internet is enabled.
please check the clock and fiddle around with the timezone settings in case of any issues. one may need to set the timezone manually.
then simply run the app to initiate a time sync
the network time sync happens at around 3am. so the time to check is in the morning.
- Please disable mount namespace separation in the superuser app to take advantage of the mount optimisations.
- Reboot once and occasionally to reseed the entropy pool. It's good luck!
- Do ensure that the waut.ch service has started upon reboot. Just run if it doesn't start it automatically!
Note: Please note that the haveged binary in the APK is a static binary and works on both PIE and non-PIE environments. It is also UPX compressed. UPX for Android didn't compile. So UPX for linux was used to compress the executable file. It is an elegant solution as both on disk and in memory space(?) is reduced by 70% per executable. One is welcome to decompress the file using 'upx -d'.
Full source code is provided on Github and build scripts are attached here and on Github.
There is no license required to both install the app or distribute it, both within the developer ROM community or in commercial form. Adhoc payment URL to support development - https://www.paypal.me/openand/10
Again do note that the license to use the APP and source code is free worldwide and irrevocable in full or partial form. All other open source components simply inherit their license. But under no circumstances is any use thereof legally binding or relevant.
--------
Utility for background calibration, curation and tuning of the device towards an intuitive interface.
Subsystems being battery, entropy, encryption, disk, cpu, memory, filesystem, ui, scheduler, and network, all safe and open source technology.
Presented in this metric format with infinite feedback and an interestingly assymetric chance. scribble anywhere, check in some stress, or get lucky for that matter!
-----
ARM variants of Android only Donut 1.6+ ( should even be compatible with the latest ARM Android 9+ )
Please uninstall either Seeder or CrossBreeder prior to using this. And other "mods" or "tweaks".
Root recommended, else reactivity metric is interesting and introduces uniqueness into the entropy pool anyway. Metric may demonstrate a certain asymmetry that is expected from predictable human actions. Efforts have been made to remove time seed logic from haveged in order to improve upon encryption and system-wide performance and security.
Also numerous other subsystems require careful calibration to facilitate this process.
Rewritten code, subset of functionality for upstream project - CrossBreeder ( https://forum.xda-developers.com/showthread.php?t=2113150 )
Please feel free to view and analyze source and functionality and report bugs and discuss etc on the XDA forum:
( https://forum.xda-developers.com/android/apps-games/app-waut-ch-calibration-android-version-t3858365 )
Google Play store:
( https://play.google.com/store/apps/details?id=ch.waut )
Please visit: /data/data/ch.waut/files/bin on the device itself for partial shell source code and XDA Downloads section and Github for full source code.
The app will amongst other maintenance tasks tune sqlite databases regularly and reseed the entropy pool or as is known in common parlance, for good luck!
Thanks.
Payment URL: https://paypal.me/openand/10
XDAevDB Information
waut.ch!, App for all devices (see above for details)
Contributors
idcrisis
Source Code:
[url]https://github.com/Openand-I/haveged[/URL]
[url]https://github.com/openand-inc/waut.ch[/URL]
[url]https://forum.xda-developers.com/devdb/project/?id=19218#downloads[/URL]
Previous Version Information - 144
305bd30f-0c8a-40d8-baf5-330c68f62d51
Status: Stable
Created 2017-01-01
Last Updated 2020-08-18
$ md5sum *.apk
8ea8e8c132a584767a12e394f7975654 *144-waut.ch.apk
8ea8e8c132a584767a12e394f7975654 *oi.apk
$ sha256sum *.apk
4925066a106c83b18ac6e563f03331c56b72777e66973db591c9776d706595e3 *144-waut.ch.apk
4925066a106c83b18ac6e563f03331c56b72777e66973db591c9776d706595e3 *oi.apk
https://github.com/Openand-I/haveged
https://github.com/openand-inc/waut.ch
https://github.com/openand-inc/waut.ch/raw/master/oi.apk
https://github.com/openand-inc/waut.ch/raw/master/144-waut.ch.apk
-----
Version notes:
haveged: static non upx binary used
cb.sh: lock fixes
Recommended:
- ntp: automatic system time update from internet is enabled.
please check the clock and fiddle around with the timezone settings in case of any issues. one may need to set the timezone manually.
then simply run the app to initiate a time sync
the network time sync happens at around 3am. so the time to check is in the morning.
- Please disable mount namespace separation in the superuser app to take advantage of the mount optimisations.
- Reboot once and occasionally to reseed the entropy pool. It's good luck!
- Do ensure that the waut.ch service has started upon reboot. Just run if it doesn't start it automatically!
Please support development, simply use https://paypal.me/openand/10 or the payment URL.
Or you can simply buy the "frappe" ( free-paid ) version of the app: http://waut.ch
Recommended:
- ntp: automatic system time update from internet is enabled.
please check the clock and fiddle around with the timezone settings in case of any issues. one may need to set the timezone manually.
the network time sync happens at around 3am. so the time to check is in the morning.
- Please disable mount namespace separation in the superuser app to take advantage of the mount optimisations.
- Reboot once and occasionally to reseed the entropy pool. It's good luck!
- Do ensure that the waut.ch service has started upon reboot. Just run if it doesn't start it automatically!
Issues:
- superuser - Please disable mount namespace separation in the superuser app ( for optional but recommended mount options ). Also please revisit the app entry inside the superuser app to ensure the waut.ch service can run on boot unattended. One can see the logs on another day to ensure that the scheduler ran correctly in the night.
- Non root users - User Interface can help in clearing the random device. Please try and obtain root to avail of most features
- Some Samsung users - One is also requested to raise a ticket with Samsung who may be running old PE detection rules that flag any compressed EXE.
- x64 users - Reports are that the binaries run on 64 bit as they are static! Please compile one's variant of the binary if required. Entropy generations removes CPU jitter and hence runs cooler and more secure.
- Intel users - User Interface can help in clearing the random device. Please compile one's variant of the binary if required. Entropy generations removes CPU jitter and hence runs cooler and more secure.
- Maintenance scheduler VACCUUMS and INDEXES "ALL" SQLITE databases. Some folks may not like that. But given that they're no WAL mode anyway, it's a bottleneck worth removing safely.
- There is a concerned effort to state that 32-bit ARM Android Go/One < 1 GB RAM devices are all that's required for long term functioning. Higher no issues.
- Please try and use a heap size of 96MB. Ideally this should be done in the build. Perhaps in the data build.prop one day!
- Please clear cache or factory reset upon issues to gain at least another year of MTTR ( Mean Time To Recovery ) for each device.
Thank you!
License concerns:
haveged - inherited - https://github.com/Openand-I/haveged
busybox - inherited - https://github.com/openand-inc/busybox
- Busybox simple extract, possibly edit the .config file in 'vi' and type 'make'
The requisite tools are installed using:
apt-get install gcc-arm-linux-gnueabi
apt-get install libncurses5-dev
apt-get install gawk
The following is a step in another direction as the 'make' command works perfectly after extraction, but this is provided for posterity:
wget http://busybox.net/downloads/busybox-1.24.1.tar.bz2
tar -xjf busybox-1.24.1.tar.bz2
cd busybox-1.24.1/
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- defconfig
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- menuconfig
At the menu, you can configure BusyBox options. Once configured, you can build BusyBox:
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi-
sqlite3 - inherited - https://github.com/openand-inc/sqlite
waut.ch - 'none', non legally binding, and non legally relevant on a worldwide scale and irrevocable ( derived works are allowed to add their own licenses as long as the import ( meaning ) of the phrase "non legally binding and non legally relevant" is implied throughout ( not required to include text at all )) and does not reflect upon future updates of this software in any manner adversely.
Version 61
Version 61
vfs cache pressure set to 0
/dev/random used instead of custom /dev/entropy/random
windows mgr max events per second set to 30
[email protected]:~$ md5sum 61-waut.ch.apk
0df57b364b16c628bd4859fe44818c72 61-waut.ch.apk
[email protected]:~$ sha256sum 61-waut.ch.apk
5bdec87b69e3eb7c473baada768e78bcc5154d4fb24ff004f170be14143cd7df 61-waut.ch.apk
Version 73
$ md5sum 73-waut.ch.apk
4a7d8288fb1432f11e85a88826ed7cb6 *73-waut.ch.apk
$ sha256sum.exe 73-waut.ch.apk
5a6121ae69332741548f8a51cf221bd48b6f4a13b4b8fc491b940847096de700 *73-waut.ch.apk
Animations are set to 0
Do note that the app will cold boot once per boot to allow the animations and mount settings to take effect. This paves the way for kernel module work to commence ( albeit in the long term )
Do enable mount namespace separation in your superuser app du jour. Also do remember to visit the logs and disable notifications and click enable so waut.ch service is automatic. Daily scheduler will tune databases and ensure disk doesn't fill up.
Version 74
$ md5sum 74-waut.ch.apk
3a4dc0eaf2c98f426938e7a283a9d880 *74-waut.ch.apk
$ sha256sum.exe 74-waut.ch.apk
b7b4400f1fd6cbc93b82cb3089a2e060fbe1331bca22e3476084e28d26c3e6f2 *74-waut.ch.apk
Wifi supplicant levels set to 30
Animations to 0
Haveged Nice levels at 0
Version 75
VersionName: acfd1ce3-066d-4d44-933f-24c6d744febf
$ md5sum 75-waut.ch.apk
8d9392d2e04400da06a41dae0466ab2b *75-waut.ch.apk
$ sha256sum.exe 75-waut.ch.apk
47b74b90801cb91b1bb7d1daa16384ad2e2b43931d33ad9fc8480ab54bf779ca *75-waut.ch.apk
haveged updates to sleep better
haveged thresholds set to 320 for security reasons
note os blocking random device issue solved in all versions
networking code removed
Version 76
Release Name: 56217076-7c28-4041-99e0-0f547cceb6b4
$ md5sum 76-waut.ch.apk
689538576631d7ddf3e8d3de1d116e2d *76-waut.ch.apk
$ sha256sum.exe 76-waut.ch.apk
f7604ecebdfa4c8b4dbdb165e064927ee7ee4f85db321980f514ad7cf75ab511 *76-waut.ch.apk
-----
networking code readded
haveged thresholds all set to 3584
ntd time sync sets the system clock from the internet regularly
Version 77
Version 77
Version Name: ca8302b4-0fa3-497c-b29f-cb342c6de88c
-----
haveged increment set to 40
$ md5sum 77-waut.ch.apk
4ebff80b4972678711c757c5bddce52d *77-waut.ch.apk
$ sha256sum.exe 77-waut.ch.apk
06299cc2b241b074d73013c510a937d5b7934b5211e036b9ae2ae22bfee621f6 *77-waut.ch.apk
Version 78
Version Name: 59ea3d9f-a8a1-4001-a03a-58d87331057f
haveged select timeout set to 30
animations set to 0.25
$ md5sum 78-waut.ch.apk
746aca398422d1b13f4de09d955022cd *78-waut.ch.apk
$ sha256sum.exe 78-waut.ch.apk
b172bfb5fa2504b6f38d999d6718b03ba201e0cc432fc0d11bf96f42fdf2aa0b *78-waut.ch.apk
Version 79
$ md5sum 79-waut.ch.apk
a7a43f7509c6399004f308e787731ebd *79-waut.ch.apk
$ sha256sum.exe 79-waut.ch.apk
4d720f2475f2cd9ca41fa3e59b613bcdf24bc0bab260356d82edadf39f6bf904 *79-waut.ch.apk
Version Name: 0ef22990-db5a-49dd-b831-b00d0f0e1a1a
haveged select timeout set to 20ms for smoother experience
animations set to 0.01
networking code removed. please reboot at convenience after installing and setting permissions in superuser
extend io queue code credits seeder app
Version 81
Version Name: 57610119-c991-4de2-a406-3fea2f7a269c
few net.core thresholds for max number of connections from device
$ md5sum 81-waut.ch.apk
3492cc0e9acc9c45ab8006dfd6f61367 *81-waut.ch.apk
$ sha256sum.exe 81-waut.ch.apk
fda6671aa11d4dda15c47d6f3341f0494f1f81f4749625c7b4dc7340c4bf7639 *81-waut.ch.apk
Version 82
Version Name: ce70c7b9-5d48-4783-9822-1471faa0fd0c
$ md5sum 82-waut.ch.apk
705db6eeae2af3a56c17cdd4c4135f74 *82-waut.ch.apk
$ sha256sum.exe 82-waut.ch.apk
0a60f588e6159711b27f114a7b841f4a21226a00935a3f631f767360622ac938 *82-waut.ch.apk
Version notes:
haveged: select timeout set to 1/3 seconds. really.
Version 83
Version Name: 2d967a64-533f-458e-b674-1f879770dfe5
$ md5sum 83-waut.ch.apk
f470bd93a39420e2a985eb4c0610e1ce *83-waut.ch.apk
$ sha256sum.exe 83-waut.ch.apk
2d0f1da607a3b2a98b46d4254c6d97857e94a99cfa699e7c846696e83742db3a *83-waut.ch.apk
-----
please reboot once to enable animation settings.
also do disable mount namespace separation in superuser to get optimised mount options set
haveged: select timeout set during sleep to 1 second.
Version 84
Version Name: e624b807-6710-4130-98a4-f9215868dd2d
Networking code updates
Haveged updated so random device does not lock ever
$ md5sum.exe *.apk
bc7d0031bdc1671f04990e4a53f319fe *84-waut.ch.apk
$ sha256sum.exe *.apk
4b470e833666eab395dd55dd7777778957d23032d40b307c412a76c4999f75d4 *84-waut.ch.apk
Version 87
Version 87
Version Name: 9f850478-3ac5-400a-8ea8-a1523bd3ef46
Full power entropy 4096
Network stack updates
Animations set to 0
$ md5sum 87-waut.ch.apk
31b49dbc28448211aa0eb3ef4c1bd9bb *87-waut.ch.apk
$ sha256sum.exe 87-waut.ch.apk
d698a188b2afdff561d36f613cefbd5b70076f42b375a355a905de2c39759e0a *87-waut.ch.apk
Version 88
Version Name: 8a93bc33-6d83-451b-bd21-fb0e015593e9
Sleep code enhanced
Threshold set to 4000 to cater to linux issue
$ md5sum *
095f09020f9ac525b5a0f8f6a9a68e5d *88-waut.ch.apk
$ sha256sum *
e4e8aaa9543fda2d3078011ab8ac37923ed4a8e6c1f52329a9d125cd05b3e5bf *88-waut.ch.apk
Version 89
Version Name: f9436bde-ea9e-4a44-9ec1-5782f815f9b8
Bug fix in cb.sh
$ md5sum *
baf77db5509c94bc3769abbb824f457a *89-waut.ch.apk
baf77db5509c94bc3769abbb824f457a *oi.apk
$ sha256sum *
306bc336e67040cd3e9dd128677a175175775c9e6ffc338baa0ef840bc16d404 *89-waut.ch.apk
306bc336e67040cd3e9dd128677a175175775c9e6ffc338baa0ef840bc16d404 *oi.apk
Version 90
Version 90
---------
Version Name: 42fe6419-42a8-45ad-982c-118cc0b6aa2e
Haveged buffer increased for better random device speed
Code:
$ busybox dd if=/dev/random of=/dev/null bs=64 count=64
64+0 records in
64+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.______ s, x.x MB/s
$ md5sum *
b67e35c1876a07172993e684a8c7edba *90-waut.ch.apk
b67e35c1876a07172993e684a8c7edba *oi.apk
$ sha256sum *
89788ccf5a89498618c0481c19e6dde049c63c69a2454448008cdd9a1e3060a8 *90-waut.ch.apk
89788ccf5a89498618c0481c19e6dde049c63c69a2454448008cdd9a1e3060a8 *oi.apk
BACKGROUND:
The most basic tenet of network security is to run a tight firewall that blocks all incoming connections that the user did not initiate (some services do require new incoming packets to go through but that is a security issue and must be dealt with separately).
SECURITY ISSUE:
iOS provides a firewall pf ("packet filter") but it is turned off by default and is not configured. Major security issue. (I'm using iOS 12.5.4 on iPhone 6, not 100% sure about other devices and later iOS versions. Pretty sure it affects all devices and versions, though.)
SOLUTION:
It's not just a solution. It's a top priority requirement for all iOS device users to lock down their firewalls.
1) jailbreak your iPhone - this is the only way to access the pf firewall and secure your iPhone
2) install a terminal app
3) change root password
4) create a pf.conf file in ~. This is the pf firewall configuration file that will be used to filter packets. In this example, everything is blocked except basic internet access and connectivity on WiFi interface that is initiated by the device.
Code:
scrub in all
block in all #default behavior block everything
block out all
block quick proto tcp to 17.0.0.0/8 #Apple IPs used by analytics - a concern, kept connecting unsolicited
pass out on en0 inet proto udp from any to any port = 53 keep state #required for DNS
pass out on en0 inet proto tcp from any to any port { 80 443 } keep state #HTTP and HTTPS
pass quick on en0 inet proto udp from any port { 67 68 } to any port { 67 68 } keep state #WiFi DHCP
5) enable the firewall with the above configuration:
Code:
pfctl -F all -f ~/pf.conf -e
COMMENTS:
pf is also limited in comparison with a Linux analog iptables in that it cannot filter by process ID. This iOS shortcoming is awful and a security issue.
ADDITIONAL HARDENING:
As a next step you can close all unneeded serial ports/TTYs. For example , on iPhone 6 you will have cell signal with the ability to use cell services and use Wi-Fi if you:
chmod 000 /dev/tty
chmod 000 /dev/tty.*
chmod 000 /dev/uart.*
chmod 000 /dev/cu.* (except cu.debug is required for cell connectivity and cu.gas-gauge for battery stats, so must also chmod 006 /dev/cu.debug and chmod 006 /dev/cu.gas-gauge)
Then, restart CommCenter, bluetoothd, wifid.
You can unload com.apple.nfcd entirely because you will not be able to change permissions/close nfc's ports/TTYs.
Unload com.apple.BlueTool, it's Bluetooth and it's a hack vulnerability, until at least you can filter it.