Open ignoramous opened 4 years ago
Ch4t4r
commented
4 years ago Another problem could be that apps since API 24 by default don't trust user-added certificates. An app has to opt into trusting them. https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html
Maybe there is a way around that by using root and adding the CA to the system CAs.
ignoramous
commented
3 years ago A user writes:
Kinda disagree with your points
- I use AdGuard for Android with https filtering and barely notice an increase in battery usage (app reports 0.17% battery usage in last 24 hours).
- Decryption is done locally, no traffic is sent to remote servers so it's a mitm but on my own machine done by me. I prefer this than having unwanted 3rd parties used by my bank spying on my banking habits (for a service you often pay for).
- Extensions are often not available on mobile browsers (except Firefox, Kiwi or Yandex for example) and when they are options are pretty limited. uBlock Origin can't change my user-agent, remove tracking parameters from URLs or work in other apps. Plus, browser estensions are limited by browser capabilities which will always be abused by advertisers, malware and the likes. A dedicated app bypasses those restrictions.
But the initial goal of rdns was censorship circumvention and I understand you might limit its scope to dns/firewall
ignoramous
commented
3 years ago Ground work for http-filtering has been laid, but no guarantees as to when or if we do implement it: https://github.com/celzero/firestack/commit/7734c4508f15d6b10f2c0b55efccb542ea34a2f0
yoshimo
commented
1 year ago If you do this, I think supporting ublock origin filter lists and script let's would be the way to go as source for filter lists To prevent breaking apps and sites you should have whitelisting for hosts whose certificates are pinned by the app. The more automated that is the better the user experience will be.
yoshimo
commented
1 year ago You can get some inspiration from https://github.com/emanuele-f/PCAPdroid which uses https://github.com/emanuele-f/PCAPdroid-mitm to install a module that accomplishes this.
If you break connections open you should log the tls master secret as SSLKEYLOGFILE, add it to the pcap (the pcapng format allows for this and offer the user to save an already decrypted pcap.
ignoramous
commented
1 year ago Thanks. PCAPdroid is GPL which is incompatible with the Apache v2 License Rethink uses. That said, PCAPdroid runs MiTMProxy (written in python) which is something we'd want to avoid, given the already bloated nature of our app.
yoshimo
commented
1 year ago It is just a demonstration how you could do it, not only code to Copy :)
ignoramous
commented
1 year ago a h1/h2 mitmproxy (no other alpns or h2) in go: https://github.com/projectdiscovery/martian/ (usage)
MiTM HTTPS traffic [0] to block content users don't want seen ever on their devices. Will not work with apps that pin certificates without some elaborate gymnastics, so that's there too.
[0] https://kb.adguard.com/en/general/https-filtering