Mobile: Encrypting All Internet Traffic

This is one of many articles in a series I’m writing to cover end-to-end encryption for everything…

Encrypt All The Things! [A Guide]

you do in your digital life.  I’ll cover encrypting specific types of …internet traffic (like E-Mail, Web sites, etc…) in other articles.

For a primer on encryption, please read my article “Understanding Encryption”…

Understanding Encryption

…as it teaches VERY IMPORTANT concepts that you need to know before moving forward here.

This works for rooted AND unrooted phones.

Big Disclaimer

Before going any further, let’s make one thing perfectly clear on THIS particular encryption.  This does NOT make all your internet traffic encrypted from your phone all the way to the final destination!

So… What does it do then?

This will encrypt your connection from your phone through and past your ISP.  It protects you from your ISP and anyone snooping on  your local end of the network.  This is great for when you need to use public wifi.  Scammers running a free wifi node will NOT be able to see your data NOR will they know where on the internet you’re going.

So… What does it NOT do?

Excellent question!  Let’s say you’re browsing a website that’s NOT encrypted (like this page you’re on right now)… Under normal circumstances, anyone snooping your network traffic ANYWHERE on the internet… from your local connection all the way to the connection on my end at my website, can see:

  • Your IP address.
  • The URL you’re wanting to visit.
  • Anything you type on my search page.
  • The contents of the pages my website sends back to you.
  • In short, everything is visible and in the clear.

Using the techniques in this article, you’ll be on an encrypted connection from your phone, through and past your ISP to some random computer on the TOR network, to a couple MORE computers on the TOR network, till your connection finally exits the TOR network and gets back on the regular internet, possibly in another country.  From THERE, your connection from THAT computer to my website is entirely unencrypted.

So… Why use TOR then?

To hide your network activity from your ISP, your cell phone provider network, your employer’s wifi, your local government(s) (including the NSA and GCHQ (the British NSA)), and anyone else snooping on the network near your end of the connection.  It will also hide your IP address from the websites you’re visiting.  You can make yourself appear to be in just about any country you choose.

Will this guarantee no one can see what I’m doing online?

LOL!  You’re cute when you’re innocent.  Of course not.  NOTHING is 100% safe on the internet, but it’s pretty darn strong protection and causes even the NSA headaches.  Someone with lots of resources would have to be specifically targeting you and it would be very difficult for them, even then.  You’re reasonably safe even against the NSA, but not totally.

What does it encrypt?

Note that this is a method to obfuscate ALL your internet traffic from your Android device, not just web browsing, but everything, including traffic to and from the Google Play Store, Google searches, game communication.  Again, it will NOT encrypt an unencypted connection.  It will encrypt all steps of the connection up to the exit node (see “How does it work?” below).

How does it work?

There are thousands of computers all around the world volunteering to be part of the TOR (The Onion Router) network.  When you connect to the TOR network, you’re randomly choosing an entry node computer somewhere in the world.  That computer then forwards your traffic to another, randomly chosen computer somewhere else in the world, which then forwards you to yet another computer on TOR somewhere else in the world, which then forwards you to a randomly selected TOR “exit node” computer… a computer on TOR whose purpose is to act as a fake YOU to the sites you visit.  It’s THAT computer’s IP address that your sites will see.

All traffic between you and all the TOR computers that your traffic passes through is encrypted.  The TOR computers do not know of your entire connection path through all the TOR computers you’re connecting through.  ONLY your own device knows that.  This is to prevent malicious adversaries from trying to reverse trace where you are.

Doesn’t this slow my connection down?

You betcha!  Yes.  Yes it does.  You do NOT want to do this for a first person shooter game.  YOU WILL LOSE!

Step by step instructions (FINALLY!)

If you’re device is NOT rooted, you’re going to change your Proxy address to “localhost” and your port to 8118 after you download and install Orbot. Below the installation steps are steps on doing that below:

  1. Download the app “Orbot” from the Google Play store.Screenshot_20160404-165041
  2. Optionally, you may want to ALSO install “Orfox”, a browser made to work on the TOR network.  It’s a modified version of the FireFox browser.  It works in tandem with Orbot.  But any browser will work.
    1. Screenshot_20160404-165051
  3. Launch the Orbot app.
    1. Screenshot_20160404-165126
  4. Long press on the screen to start Orbot.
    1. Screenshot_20160404-165118
  5. If you want to appear to be from a specific country, tap the drop down control in the bottom right of the screen and choose your desired country.
    1. Screenshot_20160404-165145
  6. If your device is rooted, skip the following steps about configuring your wifi connection and go directly to step #11.
  7. If your device is NOT rooted, it requires a little more work.  Steps 7-9 will need to be completed every time you connect to TOR.  Go to Settings->Wifi and long press on your wifi connection that you’re connected to and select “Manage network settings”.Screenshot_20160404-165310 BLURRED
  8. Now check the box “Show advanced options”
    1. Screenshot_20160404-165317 BLURRED
  9. Change your Proxy to “Manual”.
    1. Screenshot_20160404-165332 BLURRED
  10. Change your Proxy Host Name to localhost and your Proxy port to 8118 and tap “SAVE”.
    1. Screenshot_20160404-165404 BLURRED
  11. If everything worked (and it doesn’t always), you should have a secure connection on the TOR network now.  Open OrBot and click the “Browser” button on the lower left.Screenshot_20160404-165118
  12. If you have OrFox installed, it should open OrFox and load a page that tests.  It will tell you if you’re on a safe Tor connection.  If you don’t have OrFox installed, it’ll launch your default browser and do the same thing.  Here are 2 screenshots, one of OrFox and one of Chrome:

Screenshot_20160404-165205Screenshot_20160404-165422

If it didn’t work, you’ll see a page like this:

Screenshot_20160404-165246 BLURRED

If you see the “sorry” page, launch Orbot, then open its menu and choose “Exit”, then go to step #3 and try again.  There’s no guarantee that this will work all the time.  Some days it works.  Some days it doesn’t.

image

How to end TOR and go back to NORMAL networking

  1. Open the Orbot app, long press, and Orbot will end the TOR connection.  The onion icon will become gray.
  2. Open the menu in the Orbot app and choose “Exit”.
  3. Fix your wifi proxy back… Settings->Wifi.
  4. Long press your wifi network and choose “Manage network settings.
  5. Click the check box “Show advanced options”.
  6. Change “Proxy” back to “None”.
  7. Tap save.

You should now have a normal network connection again.  As a last resort, simply reboot your device if networking fails to restore to normal.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypt your web traffic

image

This is my fifth installment in my “Encrypt All The Things!” series.

Encrypt All The Things! [A Guide]

Today, we will encrypt all (or as much as possible) of your web traffic on Windows, Mac, Linux, & Android.

Your web traffic (what you request to view, what is sent to your browser to view, and what you post back in webforms when signing up for new accounts, uploading your photos, uploading your files… is all done in clear, unencrypted text unless the page you’re requesting or posting to begins with https://.   That “s” is the critical piece.  That means “secure”.  That means the web page was encrypted at the web server before being sent to your browser and anything you post (or fill in and submit) will be encrypted too.

But, Not So Fast!

There are several gotchas where that is NOT the case:

    1. You might be on an https site, but the site may have been coded poorly and the data you’re filling in might not be going back to an https page.  If so, then your data is being sent back in clear text over the open internet, and THAT’S more important than the page you’re viewing being encrypted (well, in many cases).  The page COULD be coded to post your data back to a non-secure page.
    2. Just because you’re on an https site, doesn’t mean that the site owners are trustworthy.  All it means is that the connection between the two of you is encrypted.  If you’re on a phishing website, it’s still the bad guys, even IF it’s encrypted.
    3. If you’re at work, it’s entirely possible that your employer has installed their OWN root certificates on YOUR work PC and your employer is acting as a man in the middle.  Even though you may be on an https website on a trusted website like https://google.com, your connection may be encrypted only between your PC and the equipment downstairs in the computer room in the very building you’re in.  Your employer can easily have access to ALL of your web traffic, record it, snoop it, and use it against you.  (We’ll spend some extra time on this one a little later in the article).
    4. If your PC already has malware on it, encrypted traffic is pretty much useless because they’ve already gotten behind all your protections and have access to everything you do BEFORE it gets encrypted and sent over the internet.  (Wipe your hard drive and start over.  Not kidding!)

So, What Do You Do?

    1. If the https site is coded poorly and is sending your data back, unencrypted, how do you know?  That’s a little complicated and unless you’re a web developer (and even IF you’re a web developer), it’s hard to tell sometimes.  In short, do this on a login page or a web page asking for your personal information:
      1. On your desktop browser, right-click the page and choose “View Source” or “View Page Source” or something similar to that.
      2. Look for something that starts with “<form “   Like this from EFF’s website, as an example:
        1. <form action=”https://supporters.eff.org/subscribe” method=”post” class=”newsletter-form” accept-charset=”UTF-8″>
      3. This is called a form and the “action” tells us WHERE our data goes when we submit it on that page.  Notice that it’s an “https” site?  That means it’s encrypted on our end before going back.  If it’s just “http” with no “s”, it’s being sent back in the clear, with ZERO encryption!
        1. What do you do?  Not much you can do about that.  But you CAN install the TOR browser.  It’ll encrypt EVERYTHING you do in the browser, and pass it through a peer to peer network, hopping through multiple other computers, before finally having the last computer actually send your data to the real website.  But, it’ll have to be unencrypted there before going across the internet to the site you wanted to post to.  You can’t force the website to receive your data encrypted.  You can only encrypt it on your end, pass it along a few PCs before it must be decrypted and sent in the clear.  That’ll at least block your ISP form seeing it or anyone snooping on your local network.  But it won’t stop a snoop on the OTHER end of the connection.
    2. How do you know if your employer is snooping on what you THOUGHT was an encrypted connection?
      1. In Chrome:  Go to any https site, like https://google.com, click on the green padlock, click “connection”, click “certificate information”, click the “Certification Path” tab.
        1. image
      2. It should not have your company’s name in there.  If it DOES, guess what?  You’re employer is decrypting and snooping on your traffic.  They’re playing as what’s called a “Man In The Middle”.  This only works because they have control of your PC and have installed their OWN root certificate telling your browser to trust THEIR security certificates as valid owners of Google.com.  NOT COOL!
        1. What do you do about THAT?  Stop using your work computer for anything that’s personal.  That’s the only way out.  I take my own laptop to work, plug in my Android phone to it and share my T-Mobile data connection with my laptop.  I do my web browsing from my laptop and the rest of my work from my work PC.
      3. If your PC has malware on it… You might not even know it.  But if you DO know it, for heaven’s sake!  STOP USING IT… like RIGHT NOW!  Reformat your drive, re-install your OS and your software.  That’s the only realistic way to get rid of it all, and stop downloading those stupid toolbars!  Seriously!  Also, don’t download software from sources you’re not 100% certain are widely accepted as trustworthy!

Maximize Your Encryption While Browsing

  • You can’t force websites that aren’t using encryption to start using it, so avoid websites that don’t offer https .
  • If you’re on a website that’s NOT https., then click in your browser’s address bar and TYPE that s right after the “p” in “https” and click “GO”. Many websites DO offer an encrypted version of their website, but you must manually enter it.
  • Better yet, install Https Everywhere.  It’s a browser plugin available for the most popular browsers.  It will do the above step for you by using the https version of any site you go to (if that site has one available).  This will NOT force all your web traffic to be encrypted, but it sure will avoid the non encrypted versions of sites you visit, if at all possible.  NOTE!  You can still get to unencrypted sites and your traffic won’t be encrypted on those sites.

Stop your ISP, Employer, Family, Neighbors, and Hackers from snooping on your web traffic

I mentioned the TOR browser above.  This is a modified version of the FireFox browser, specially made to route your web browsing traffic through its own sub-network… kind of an underground network of participating servers and PCs around the world.  Normally, when you go to say www.google.com, you’re making a direct connection from your PC to google.com.  With Tor, you’re going to a random server around the world on the Tor network, which then forwards you to another random server somewhere else around the world, to yet another one somewhere else around the world, which finally then sends your request to google.com, but from that 3rd machine.  In other words, as far as Google is concerned, a connection was made from that other machine to them, which might be in Russia, China, America, Germany, or anywhere else in the world.  You’ll frequently see ads in other languages because of this.

This protects you from your ISP, your employer (if you can get away with installing TOR on your work PC… but just assume that even if you can, that your employer can still see your traffic because they have complete control of your work PC), your nosy family members, nosy neighbors, nosy patrons at the coffee shop, or anyone else near by that may be snooping on your traffic.

The end result is it’s damned near impossible to tie YOU to whatever you’re doing on the destination website.  It also encrypts ALL your web traffic to and from any website… BUT ONLY ENCRYPTED UP TO THAT LAST PC!  If you’re visiting an unencrypted website, YOUR TRAFFIC WILL BE UNENCRYPTED from that last PC in the Tor network to the final website, and back again.  You MUST understand this.

This should be obvious, but my experience in IT is that nothing ever is, to everyone.  So!  I’ll state this clearly:  The TOR browser does NOT encrypt your web browsing if you’re using Chrome, or FireFox, or Opera, or Internet Explorer, or Edge.  It’s only going to work on web pages you visit WITH the Tor browser.

What About Android?

You have two good solutions on Android.  One’s good.  The others even better.  Both options are the Orbot app.  But the differences are if you’re Android device is rooted or not.  A rooted Android device gets significantly better security options.

First, go download the Orbot app here from the web, or here from the Play Store.

Orbot, if you’re device is rooted, can rout ALL your internet traffic through the Tor network.  You can also configure Tor to only send traffic from specific apps through the tor network.

When your traffic goes through the tor network, anyone locally snooping on your web traffic has no way of knowing what websites you’re communicating with.  Remember, if the site you’re communicating with is NOT an https site, there will be an unencrypted connection somewhere in the world to your final site.  Don’t trick yourself into thinking it’s fully encrypted all the way through.  It only is for sites that are https.  Tor will protect you from local snoopers.  It won’t protect you from snoopers hacking into the data to the final, unencrypted website.  Got it?  Good!

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Sick of the NSA Spying on you?

imageSetting aside the tin foil hat and paranoia jokes, no one likes being tracked or their private text messages being scraped up by the U.S. government’s massive computers, nor their phone metadata being logged, nor even the possibility of someone being able to listen in or record your phone calls (the NSA denies they listen to calls, but others with even FEWER ethics CAN).

 

Here’s what you can do to protect yourself on your Android SmartPhone

  • Encrypt your text messages.  There are 2 good options:

Install the TextSecure app.  This app will automatically detect which of your contacts also has this app installed and will automatically encrypt your SMS text messages with those individuals.  TextSecure is available on iOS too!  This means you can have encrypted texting sessions with both iOS and Android users!

Root your phone and install CyanogenMod 11 (or higher).  CM 11 has built-in support for TextSecure encryption, coded directly INTO the Operating System.  This means, you don’t have to install the TextSecure app.  Automatically, ALL SMS apps on your phone suddenly support TextSecure encryption.  But, you have to turn it on.  The feature is called “WhisperPush”.  Simply find the WhisperPush app on your phone, run it, and follow the instructions.  It’s the simplest setup you’ll ever experience.

  • Encrypt your voice phone calls (yes, you can do that)

This used to be stuff of only fiction in spy movies, but it’s a reality today and YOU can do it within minutes of reading this article.  First, install the app RedPhone from the Google Play Store.  This app is made by the same people that make TextSecure.  Both you and the person you’re calling (or receiving a call from) have to be using this in order to have a secure, encrypted phone call.  When you install the app, the first time you run it, it’ll ask you to register your phone number.  Now, anyone else with the app, when they call you’re number, the app knows you have it and will offer the caller the option to make the phone call encrypted.  Note that this uses your DATA connection and NOT your phone connection.  You’re not actually making an actual phone call.  It’s more of an internet audio chat.  But you don’t need to know that other than if you have a data cap, this will use your data.  As far as you and the other caller are concerned, for all practical purposes, it’s a phone call.  But your carrier will have no record of it AND anyone trying to listen in will only see a stream of random bytes streaming.  It’s totally encrypted… just like in the spy movies! Smile

  • Encrypt your E-Mail

This is a bit more difficult.  I’ll provide another article on how to do this.  The short version is you need to install djigzo from the Google Play store to manage your keys.  Then you’ll need an e-mail client that can use those keys to encrypt and decrypt your e-mail.  K-9 Mail is supposedly one of those apps.  For the record, I’ve NEVER gotten this to work.

  • Encrypt your phone

Android can encrypt your entire phone.  Don’t confuse yourself.  This does NOT encrypt ANY internet traffic to or from your phone.  It encrypts the files on the phone itself.

Go to Seetings –> Security –> Encrypt Phone

Warning!  This can take an hour or so!  Make sure your phone is plugged in AND has at least an 80% charge.  You do NOT want this failing in the middle of  it.  It will also require you to set a lock screen PIN or password, if you don’t already have one.  Once you do this, you CANNOT flash anymore ROMs on your phone (if you’re rooted).  So, make sure you’re good to go with the ROM you have.

  • Add a PIN or password to your phone

This one is obvious.  You need to set a PIN or a Password on your lock screen, otherwise, anyone can use your phone and see your data.

  • Add extra PIN for individual apps

Install the app AppLock from the Google Play store.  Open it up and set your settings.  You’ll set a PIN and you’ll select the apps you want to have an extra layer of protection.  Hint:  DO NOT use the SAME PIN here that you’re using for your phone lock screen.

This app will pop up a PIN prompt whenever someone tries to open one of your extra protected apps.  For example, you may want to enable your backing apps and credit card apps via AppLock so that you have to know that extra PIN in order to lauch them.  This way, if you let someone borrow your phone, they can’t go snooping into your financial data.

  • Hide apps and/or files on your phone

Maybe you have some apps that you don’t want other people to know or use.  Go to the Google Play store and download an app called Hide It Pro.  When you install it, it’ll show up on your phone as “Audio Manager”.  It’s deliberately deceptive.  The purpose of this app is to hide apps and/or files on your phone.  You protect them with a password of your choosing.  If someone’s snooping around on your phone, all they’ll see for this app is a music icon with a label, “Audio Manager”.  And if they launch it, it’ll even have working audio controls.  Those controls are totally for faking out people snooping on your phone.  Long press on the app title at the top of the screen (inside the app) and you’ll be prompted for a password, which then takes you into the real app where you can select apps and files to hide.  They won’t even show up anywhere on the phone with the regular phone interface.

  • Hide your browsing and internet traffic

Your ISP can see all the sites you go to, and so can the NSA, and so can anyone else snooping on your wireless connection (or even your wired connection).  And websites know what IP address you’re using, which means they can ask the ISP that own’s that IP address who is using it, and they’ll give them your name, address, and phone number.  What you need is something that bounces your web page requests to random computers all over the world.  Yes, this is exactly what you see “hackers” doing in hi-tech spy movies and YOU can do it too… VERY EASILY.  Install the app Orbot on your phone.  Follow the directions.   It’s super simple.  If your phone is rooted, it can obfuscate ALL of your internet traffic.  If your phone is NOT rooted, it can work with a few apps on your phone (web browser and e-mail, in particular) and bounce all your traffic from those supported apps all around the world.  It’ll slow down your connection a little, but it’ll also protect you against nosy, 3 letter acronyms including ISPs.

Click here to follow me on Google+.

Follow me on Twitter @CSharpner.

See these images?

imageimage

You’ll find an actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!