Control network-traffic for Android Apps

This functionality should be built-in into Sailfish Android layer!

They say SFOS is about privacy, then why the heck Android layer is less private that a standard Android phone (with proper apps)?

SFOS must have built-in functionality to provide fake data to Android apps and to disallow internet access on per-app basis.

3 Likes

When any VPN app is launched it does not change the AlienDalvik VPN settings… Why is this?

It seems important for you to have a use case, so I will give you one, or two of tons.
I am using ColorNote for my personal notes, and I dont want, that this has network
access ever. There is TitaniumBackup, which makes local backups and for this I
only want allow LAN-access. Or my mediaplayer shouldnt be going online, because
I only want to see local files. And so on.

2 Likes

All these Android app connect to google and facebook for metrics and data collection. I try to block hosts like googleapis .com etc by adding them to the etc/host file like described here: https://together.jolla.com/question/123404/howto-block-websites-in-every-browser/ but it did not work.

On Ubuntu I use OpenSnitch.

I also tried:
iptables -A INPUT -s facebook .com -j DROP
iptables -A OUTPUT -d facebook .com -j DROP

and from the browser I cannot longer access the page but using TCPDUMP on the router I can still see the Android apps connecting to facebook .com

How to block Android app trackers on Sailfish OS 4?

Take a look here:
https://openrepos.net/content/peterleinchen/defender-ii-updated-encrypted-devices-originated-nodevel

In above you missed that android layer is using its own hosts file.
Defender will take care of this…

2 Likes

This is all very sad.
J has full control of android layer, yet they show zero interest in putting snoopy android apps on a leash.
So much for privacy-friendly OS.

1 Like

This Defender II app is awesome! Thank you so much!!

Yes!
But all kudos should go to nodevel, as he invented/implemented it.

You know that there is a …/etc/hosts.editable file in which you might add whatever site you want to add getting blocked?

I edited the …/etc/hosts.editable file with sh -c ‘echo “127.0.0.1 www.google.com” >> /etc/hosts.editable’ but even after reboot using the browser it did not block the url. But when I use sh -c ‘echo “127.0.0.1 www.google.com” >> /etc/hosts’ it does.

The problem is that it does not block google from the Android layer. When I open the Android version of Firefox I can still open Google.com

Not sure what I do wrong.

There are two (three) locations of
etc/hosts*
files, that is what I meant with
/etc/hosts*

First one is /etc/hosts* for native SFOS
Second( third) is for Android layer and depending on version (10 or older 4.4) it is
/system/etc/hosts*
or
/opt/alien/system/etc/hosts*

After modifying this/these hosts.editable files you need to update within defender app to get these changes integrated.

1 Like

Both /etc/hosts and /system/etc/hosts are now 11 MB in size and contain the lists of urls to be blocked.

It works on Sailfish but but I can see on the router TCP dump that the Android layer it does not block the URLs.

It seem to ignore or bypass the IP Tables host file. Is there a resolve.conf I need to adjust?
What else can I try?

1 Like

Oops,
it looks like you found something I was not aware of.
Please try restarting the android support. Either by system settings GUI or devel-su system-ctl restart aliendalvik.
And test again

1 Like

I did that and rebooted the device but the Android layer still seem to ignore or bypass the IP Tables host file. Can I force the Android layer to use the IP Tables somehow?

That sounds strange!

Please attach to Android console with

devel-su lxc-attach aliendalvik /system/bin/sh

and try to ping one of those host blocked names (from /system/etc/hosts) and see what IP you get resolved.

I pinged facebook. com, crashlytics. com, scorecardresearch. com, app-measurement com which I blocked and they get resolved from the Android layer. They only get blocked on Sailfish native OS. Which is a problem because Sailfish OS apps generally do not have any trackers but all these Android apps do. The other day I read from Wireshark users that almost 50% of all traffic on a phone comes from Google and third party trackers.

Then you might have done something wrong?

Steps to do

  • edit file /system/etc/hosts and save it
  • restart android support (needed!)
  • attach with devel-su lxc-attach aliendalvik /system/bin/sh and ping one of the added (modified) name/IP tuple by name.

Result: you should see the newly configured IP (e.g. 127.0.0.1) after android support restart.
That is what I see.

Selection_011

I follow all the instructions and it works from Sailfish OS itself, it just does not work from the Android layer and both /system /etc/hosts and /etc/hosts files are identical.

When I ping the local host it returns 0.0.0.0 the first time. When I ping localhost after devel-su lxc-attach aliendalvik /system/bin/sh I get 127.0.0.1 but when I ping for example 2no .co as shown in the screenshot of my hosts file it returns iplogger .com with 0 packet loss.

Aliendalvik does not use /system/etc/hosts, it has its own hosts file inside the read-only system image.

You can use /etc/hosts for android apps by adding the following line to /var/lib/lxc/aliendalvik/extra_config:

lxc.mount.entry = /etc/hosts system/etc/hosts none bind,create=file 0 0

This will “overload” the hosts file inside the read-only system.img with the /etc/hosts from outside the LXC container.

See adblock via /etc/hosts on XA2/AlienDalvik v8 - together.jolla.com

4 Likes

Oh oh!
I need to apologize.

I was/am fully aware of that extra_config file but may have forgotten completely that it seems this file was also manually edited by me a long time ago. (I have another line inside about hosts.editable which is not of use. So I really thought that mounting of /system/etc/hosts to etc/hosts is part of aliendalvik package). And to be honest I expected this to be part of the aliendalvik package!
But a rpm -qf /var/lib/lxc/extra_config tells me this is not part of any package :frowning:
I will also create a feature request but do not expect that to be noticed or implemented within the next few releases, month/years.
For that reason I will add this extra_config file to the harbour-defender package (may take some time because it needs a bit of testing).

Meanwhile you may use
to differentiate between native etc/hosts and the Android system/etc/hosts (there may be reasons to do so), preferred for harbour-defender users:

devel-su
echo 'lxc.mount.entry = **/system**/etc/hosts system/etc/hosts none bind,ro 0 0' >> /var/lib/lxc/aliendalvik/extra_config

or to just simply use /etc/hosts for both environments ( not using harbour-defender maybe ):

devel-su
echo 'lxc.mount.entry = /etc/hosts system/etc/hosts none bind,ro 0 0' >> /var/lib/lxc/aliendalvik/extra_config

–edit
the create_file option is not needed as system/etc/hosts file is part of system.img
and I added the ro option to not allow the dark side to alter files on native file system

2 Likes

Strange, I see /etc/hosts and /system/etc/hosts from the host in the LXC container. If I ping one of the entries in /etc/hosts on SailfishOS it resolves to 0.0.0.0, as expected; within LXC container it resolves to the ‘real’ IP address of that host. So it seems that it doesn’t quite work as expected.
Does Android’s ping command use another service for hostname resolving than SFOS?

1 Like