Security Mode\Firewall

[gbdomubpkm]

Hello I suggest that you make the name 'Security mode' more complete\readable because what the user is looking for in particular is the known term 'firewall' and if you type the term 'firewall' in the search for parameters, nothing!

Regarding the firewall, I think you should definitely include the possible disconnection from the internet of the desired apps because the main polutions or surveillances come from the internet and all the apps are connected by default to the internet so many don't need it. It is true that we can disconnect the apps one by one under AOSP, or by using specific apps but that should be part of the firewall that you propose I think.

[wurzer]

Thanks for your suggestion. We name is security mode, because it's more, than a firewall.

You implement your requirement with Hide.me.

1. Enable strictly system wide use of VPN
2. Enable VPN in the Hide.me app with split tunneling
3. Exclude the apps from VPN within split tunneling settings.
4. You selected apps are blocked.

Further more we plan to publish a Volla OS release with security templates. So you can use apps, with trackers, that are blocked by our firewall then.

Another option is using white listing.

[gbdomubpkm]

I will be happy to test all your new features on my Vollas as soon as the stable update is available. 🙂

[gbdomubpkm]

Hello @wurzer

Thank you for your update I made on my Volla. and for the security templates.

On the Volla, I had 3 reboots like the Lorimi crashes with UT: I had activated all the blacklists, plus proton vpn, plus ublock origin from fennec... Maybe it's too much??

Perhaps we need a clarification on what can or cannot be combined. Does templates work when vpn is actived ? Can you too clarify at what level on the smartphone templates should work ?

But do you confirm the templates really work to date ? what do they contain? I tested, without using a vpn, one by one only the porn and gamble lists which do not stop the sites whose stopping I wanted to test.

Best new year wishes Regards

[wurzer]

I couldn't reproduce the mentioned issues. Which device are you using?

You should be able to use the templates in combination with the VPN. However, if you use a whitelist, please make surem that you include, that the system is using. Therefore we have added the volla.tech domain. Otherwiese, it could be possible, that you can connect to Wifi for instance.

We had little kernel change by adding the Wireguard protocol. But this shouldn't have an impact on the boot process. You can post or send me the logcat of the device boot process.

I welcome any improvement of our templates. It's just the beginning, we have now the technical process to apply those templates implemented.

https://github.com/HelloVolla/security-mode-templates

[gbdomubpkm]

The issues mentioned are for the Volla purchased Volla OS. Not tested on the Volla22. Can you give me two innocuous addresses that should theoretically be blocked regarding Gambling and Porn lists? Thanks

[wurzer]

You can find the sample templates here:

https://github.com/HelloVolla/security-mode-templates/blob/master/template-config.json

We have initially focused on trackers and advertising for black lists. Your recommendations for lists that block pornography are welcome. For children and young people, however, I see white lists as more appropriate, which seems to me hardly possible to capture the abundance of pornographic and other content harmful to children and young people in one list.

[gbdomubpkm]

Ok, thank you for your link.

An example : when I load the gambling template, and enter for example https://www.fdj.fr/ under the fenix browser, I should not be able to access this page, right? Well that doesn't work for me, fdj page isn't blocked on the volla and the volla22. Is this fdj page is blocked for you ?

Edit : I'm sorry first. I made multiple attempts. Same effects, the Firewall does not work at all (only for me ?) neither on the volla nor on the volla22. Please show me a screenshot of fdj blocked under fenix with the gambling list if it works for you. IF, there is something i don't understand, i don't see what it is.

To remove this doubt, are you sure you posted the correct version of your update on December 29?

[wurzer]

If you load a security template for a black list, than the listed domains of each template should be blocked, if and only if the security mode is activated. You can easily test it by your own list or domain, you add to the security mode settings.

[gbdomubpkm]

if and only if the security mode is activated.

What do you mean ? I can't block my own domains, it doen't work. It works with fenix but not with volla volla os firewall for me alas. It works too with domains with volla UT with morph-browser..

[wurzer]

Sure, you can define any domain for the black and white list on you own. You can also import a list of domains from a text file, if you have many domains you would like to block or explicitly allow. Please make sure, that you set the radio button for the black or white list according your intention.

[gbdomubpkm]

I partly understood 🙂 why the firewall wasn't working and I didn't understand why you were talking about 'activating security mode'. The safe mode can only be activated by the volla launcher I think, and since I occasionally use another launcher, the activation of the safe mode is invisible !! If enabling safe mode had been in the system settings, I would have seen it I think. I will continue my investigations later because I am on the road.

[wurzer]

I see. That clarifies your issue. The security mode needs to be activated in the launcher.

However there is a Java API for the security mode to activate and de-activate it. A corporate customer is using this feature for a light weighted MDM solution.

We could take you inquiry as an inspiration for a redundant way to activate the security mode in the system settings.

[gbdomubpkm]

That's exactly what I was going to suggest: double enable security mode in system settings. If I had known about the problem in the first place, I wouldn't have bothered you. 🙂 . Sorry. But that's the good thing about considering redundant way activate security mode in case we use another launcher.

[gbdomubpkm]

For now, are there easy command lines to enable or disable the firewall through the volla terminal?

[wurzer]

There is a reference implementation. See the lines 170ff. You can use the lava library, that is part of the project to access the interface:

https://github.com/HelloVolla/android-launcher-qt/blob/master/android/src/com/volla/launcher/util/AppUtil.java

[gbdomubpkm]

Sorry. I don't understand how to do this and what 170ff means. Concretely, can you give me if possible the command lines to activate and deactivate the firewall ? Thanks in advance.

[gbdomubpkm]

More tests:

Hello. On the Volla: Can you check if blocking unknown apps works for you? I don't (after activating the firewall). In fact the switch seems to be disabled (seen after disabling the firewall). I haven't checked on the Volla 22.

Edit : Conversely, in security mode, Aurora store can no longer install apps or updates even if 'do not install unknown apps' is disabled !! Same on Volla22.

Edit 2 : I will end by saying that, in my tests on the blacklists or added domains, they do not erase themselves if desired (one might think so, but in fact not if one exits the security menu and then comes back to it) are individually or collectively unless you activate the whitelists button and then go back to the blacklists button.

[wurzer]

I can confirm, that all apps are blocked, the are marked as blocked in the security mode settings, if securoty mode is activated. And I can confirm. That I can't install apps even if Aurora is not blocked and the toggle for unknown apps is disabled. I'll open an internal ticket for that.

[wurzer]

Sorry. I don't understand how to do this and what 170ff means. Concretely, can you give me if possible the command lines to activate and deactivate the firewall ? Thanks in advance.

If means line 170 and the following. However I just saw, that should look at the part form line 142.

} else if (type.equals(TOGGLE_SECURITY_MODE)) {
    boolean activate = (boolean) message.get("activate");
    boolean keepPassword = (boolean) message.get("keepPassword");

    ChildModeManager childModeManager = ChildModeManager.getInstance(activity);
    Map reply = new HashMap();

    if (activate) {
        if (!childModeManager.isPasswortSet() || !keepPassword) {
            String password = (String) message.get("password");
            childModeManager.setPassword(password);
        }
        childModeManager.activate(activate);
        reply.put("succeeded", true);
    } else {
        String password = (String) message.get("password");
        if (childModeManager.validatePassword(password)) {
            childModeManager.activate(activate);
            reply.put("succeeded", true );
            reply.put("activate", activate );
        } else {
            reply.put("succeeded", false );
            reply.put("error", "Wrong password" );
        }
    }
    SystemDispatcher.dispatch(SECURITY_MODE_RESULT, reply);
} else if (type.equals(GET_SECURITY_STATE)) {
    try {
        Intent childModeSettings = pm.getLaunchIntentForPackage("com.volla.childmodesettings");
        boolean available = true;
        try {
            // check if available
            pm.getPackageInfo("com.volla.childmodesettings", 0);
        } catch (PackageManager.NameNotFoundException e) {
            // if not available set available as false
            available = false;
        }
        ChildModeManager childModeManager = ChildModeManager.getInstance(activity);
        Map reply = new HashMap();
        reply.put("isActive", childModeManager.isActivate() );
        reply.put("isInstalled", available);
        SystemDispatcher.dispatch(GOT_SECURITY_STATE, reply);
    } catch (Exception e) {
        Map reply = new HashMap();
        reply.put("isActive", "false" );
        reply.put("error", "Not installed" );
        Log.d(TAG, e.toString());
        SystemDispatcher.dispatch(GOT_SECURITY_STATE, reply);
    }
} else if (type.equals(GET_IS_SECURITY_PW_SET)) {
    ChildModeManager childModeManager = ChildModeManager.getInstance(activity);

    Map reply = new HashMap();
    reply.put("isPasswordSet", childModeManager.isPasswortSet() );
    SystemDispatcher.dispatch(GOT_IS_SECURITY_PW_SET, reply);
}

[gbdomubpkm]

On the Volla: Can you check if blocking unknown apps works for you? I don't (after activating the firewall). In fact the switch seems to be disabled (seen after disabling the firewall). I haven't checked on the Volla 22.

I misspoke about these above lines. Please check this for F-Droid. Install unknown apps aren't blocked for me.

Edit 2 : I will end by saying that, in my tests on the blacklists or added domains, they do not erase themselves if desired (one might think so, but in fact not if one exits the security menu and then comes back to it) are individually or collectively unless you activate the whitelists button and then go back to the blacklists button.

What's about Edit 2 for you ?

[wurzer]

Regarding installation: Yes, I can confirm the same issue with F-Droid. I think, it's an issue with the package manager, if the security mode is enabled. I have already filed a bug in our internal ticket system. Thanks for the report.

Regarding the templates. You can delete them with the related entry int the three-dot-menu. You delete single entries by swiping to the left. Is that, what you mean?

[gbdomubpkm]

What I mean is that the templates in blacklist mode (I only tested that) do not disappear even if on the screen you no longer see the lists (regardless of the erasing method used) .

I'll make it simple: You are in 'blacklist domains' mode:

• you 'delete' for example the security templates (lists) you want: no more lists on the screen indeed.
  • exit the system settings, go back to the security mode settings, Firewall, the lists reappear!!

The only way to clear blacklists is to switch to 'whitelist domains' mode and then switch to 'blacklist domains'.

[wurzer]

Thank your very much for the steps to reproduce it. I'll check and open a ticket in our internal Gitlab.

[gbdomubpkm]

Another thing that doesn't seem normal to me. After activating the blacklist firewall (no firewall before), it is impossible to connect to the fenix browser for a while. No network. Waiting for a certain delay (several minutes) or restarting the Volla immediately solves the problem.

[gbdomubpkm]

Please explain all Volla issues that should be fixed for the January 11 update in wiki / volla OS release notes. Thank you.

[wurzer]

You find Volla launcher release notes in the related project wiki: https://github.com/HelloVolla/android-launcher-qt/wiki/Release-Notes

[gbdomubpkm]

Thank you for your link but i'm not speaking about Volla launcher notes here, i speak of Volla OS release notes. Miss 11 January update notes.

[wurzer]

Fine, you found it. Enjoy the day!

[gbdomubpkm]

Fine, you found it

Not really... There is no Volla OS Release notes of January 11th.. 😉

Enjoy the day !

Same for you

[gbdomubpkm]

Hello. Is an update that fixes the issues I reported here coming soon?

[wurzer]

We are working on Volla OS 12. You a asking for linking the rlease notes properly in the updater app?

[gbdomubpkm]

No. I'm talking about issues with the security mode not working properly that you had to report internally.

[wurzer]

There is one known issue, that you can't activate tethering while the security mode is on. Regarding removing all domains, we plan a re-implementation of this feature. However there is a workaround by switching to white list and back to black list. Is there something else, that needs to fixed?

[gbdomubpkm]

I didn't notice anything more than anything I reported in this ticket.