Replies: 3 comments 6 replies
-
|
@dyhkwong I think that when you say I'm overreacting and making a big deal out of nothing, you're overlooking a few things: It's easy to say "delete the spyware" when it's just one or two apps. But the reason I wrote this article is that the Russian government has required all major private businesses to embed such modules into all their apps. This means users won't even be able to use basic services like taxis, maps with navigation, or access their money. For example, one of the most popular Russian banks is a digital-only bank with no physical branches. The same applies to citizens interactions with the government. In fact, you cannot live a normal life in Russia without these apps. Just as you cannot use the internet properly without a "VPN" Unlike China, we have no local alternatives for most of the blocked services. In Russia, even according to official underreported statistics, over 50% of the population uses a "VPN" That means we're talking about more than 70 million people who could potentially be affected. Given the rapidly deteriorating situation in Russia, including the economic one, I don't think all these people will be able to buy a separate device. For many people, paying more than $5/mo for a VPS is already barely acceptable... The purpose of publishing my article was not to take a jab at any particular client, but to warn ordinary people and mobilize developers to find a solution. As you can see, it has yielded results. Although most users currently use Xray-based clients, it has been discovered that a Sing-Box with the correct configuration provides protection against this. Perhaps this will encourage more people and developers to take notice of Exclave. Please do not take this article as a personal attack. I realize that what is currently happening here goes beyond the scope of the usual risk factors. PS - As for the iPhone, it's a strange device in Russia right now. Due to sanctions, Apple has removed many Russian apps, including banking apps. On the other hand, at the request of Russian authorities, Apple has removed all VPN clients from the Russian region of the App Store. There is also no way to pay in the App Store or within apps (Apple does not accept Russian bank cards). So many users have thrown their iPhones in the trash regardless of whether this vulnerability exists. As for Tor - it's used by a few geeks, and I think that unlike ordinary people, they can take care of themselves. PSS - thanks for mentioning the socks5 + udp vulnerability |
Beta Was this translation helpful? Give feedback.
-
|
This is not something like "I can't suffer from the cost and what it will lose". We have no choice but to use a separate device. For example, in China, one app collects the installed apps and report to the police. One website loads resources outside of China, even if you configure the website not to go through the proxy/VPN, if a browser is configured to use the VPN/proxy and the user uses the browser to visit the website, the VPN/proxy IP will be leaked to the website. They don't even need an app installed on your device. P.S. The app names are not pointed out because I want avoid unnecessary troubles. Most people in China should know what they are referred to. P.S. Exclave does not use Xray-core. |
Beta Was this translation helpful? Give feedback.
-
That's why I'm saying people should pay attention to Exclave and other sing-box based clients |
Beta Was this translation helpful? Give feedback.
-
Define normal. Most of the services you mentioned are 80% accessible trough a web-browser, which is enough if you have what it takes to respect yourself. |
Beta Was this translation helpful? Give feedback.
-
But still, I'd like to have a convenient window for rooted devices with a list of marked user applications that are allowed access to the ports via Iptables (while others are blocked). And also mark apps for iptables redirection to transparent proxy, like it have apps selection in tun mode. |
Beta Was this translation helpful? Give feedback.
-
|
The proxy function of this app basically works in the JNI basis rather than a separate process. Use AFWall+ maybe. |
Beta Was this translation helpful? Give feedback.
-
|
AFW is a firewall, it allow or block access via iptables, not reroute, and i don't remember port blocking function, only by custom manual rules. and from box it conflict with box for magisk, that change iptables too, need a research for fix. |
Beta Was this translation helpful? Give feedback.
-
|
In fact, I don't think using REDIRECT (i.e. "enable transparent proxy inbound" in Exclave) is a good idea because it is TCP only. To route UDP, you need TPROXY. TPROXY needs to set sockopt with root priviledge, but the proxy core is running in a JNI enviromnent (rather than a separate process), so it is impossible (or difficult, needs libsu and a daemon) to achieve. That's why those Magisk/KernelSU transparent proxy modules exists. SagerNet has TPROXY mode but it in fact does not work at all, so I removed it. |
Beta Was this translation helpful? Give feedback.
-
|
@runetfreedom Since the spyware is already in the local environment (so network jitter is significantly reduced and fail2ban is impossible) and most popular proxy software does not verify the authencation in a constant-time way, is it possible that timing attack will become feasible? Edit: My thought: Go map is a hashmap with a unique random seed per instance. For a |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
关于所谓的“严重漏洞”和 runetfreedom:
所谓的“严重漏洞”纯属 runetfreedom 的大惊小怪。任何具有基本的计算机网络知识的人都了解本地开放的 SOCKS5 端口可以被自由地访问,这个基本事实不需要 runetfreedom 的独立发现才为人所知。
将间谍软件和正常软件安装在同一设备上是极其危险且行不通的。您应该卸载间谍软件;如果您非要使用间谍软件,至少应该物理隔离,将间谍软件安装在独立的设备上。
runetfreedom 应该向用户普及计算机网络知识和安全常识、教导用户如何物理隔离间谍软件(或者更好地,寻求自由开源软件替代品),而不是教导用户如何将间谍软件和正常软件共存从而把用户置于被间谍软件攻击的危险中,更不应该要求开发者参与这场无休止的猫鼠游戏、实现各种各样的规避措施。
很大程度上,软件假定用户是可靠且本地环境是安全的。用户有责任确保本地环境的安全,如果本地环境不安全,壁垒已被打破,您始终都有可能受到各种各样的攻击。
代理软件在本地开放端口是天经地义的,不开放端口的要求荒唐至极。
要是 runetfreedom 自以为发现了了不得的安全漏洞,何不向 Tor Browser 等开放本地端口的软件报告安全漏洞甚至获取漏洞编号呢?
iOS 对此没有规避措施。runetfreedom 要教育用户宁愿把 iPhone 扔进垃圾桶也不卸载或者物理隔离间谍软件吗?
在中国,某大型 app 长期通过利用代理软件的分流功能探测代理的出口 IP,另一大型 app 曾经内置 0-day 漏洞利用,您不应认为添加了间谍功能的软件是有底线的。
关于 Exclave:
Exclave 不使用 tun2socks。Exclave 是“TUN <-> 代理出站”的运行机制,而不是 tun2socks 那样的“TUN <-> SOCKS5 出站 <-> SOCKS5 入站 <-> 代理出站”的运行机制。
为什么开放了一个 SOCKS5 端口:首先,代理软件开放本地端口供其他软件使用是天经地义的。其次,在 gVisor 栈下,Exclave 将自身排除在 VPN 之外(这避免了使用 protect)以避免流量回环,但是 Exclave 下载路由资源等行为仍然需要通过代理,因此以 SOCKS5 作为 IPC 机制。像 system 栈那样将自身包含在 VPN 内并使用 protect 避免流量回环、抛弃这个 IPC 机制是可能的,但是这要求 Exclave 移除 Shadowsocks 插件支持(Shadowsocks Android 已不使用 protect,转而把自身排除在 VPN 之外),这不是 Exclave 所希望的。
为了某些非要将间谍软件和正常软件安装在同一设备上的无理且荒唐的需求(而不是为了解决所谓的“严重漏洞”),Exclave 提供了一个禁用 SOCKS5 入站的选项。
如果 SOCKS5 入站被禁用,将转而使用 Unix Domain Socket 作为 IPC 机制(自 0.17.35 起,总是使用 Unix Domain Socket 作为 IPC 机制)。作为代价,“NAT 行为发现”工具和“证书探测器”工具的 QUIC 模式将无法使用(自 0.17.35 起,如果 SOCKS5 入站被禁用,没有功能将变得不可用)。若用户不能对设备的本地环境安全负责,便不配拥有良好的体验。如果要避免间谍软件通过 Network.bindSocket 或 SO_BINDTODEVICE 等方式绑定到 VPN,Exclave 提供了一个“自定义包名或 UID”的路由选项,您可以屏蔽 UID -1。作为代价,您将会收获增加的耗电量和许多假阳性,或许还有一些假阴性。
这些功能仍然需要端口转发和/或 SOCKS5 端口,因此您需要自行注意:Shadowsocks 插件、NaiveProxy 插件、ShadowQUIC 插件、浏览器转发。
Exclave 会把运行日志输出到系统日志缓冲区,把崩溃日志、导出的日志、下载的路由资源等保存到 /sdcard/Android/data,在低版本的 Android 上,您需要自行注意。
如果启用 UDP 支持,SOCKS5 入站的用户名密码认证基本是无用的安慰剂功能。即使采用 UDP ASSOCIATE 端口随机化、源端口过滤等措施,通过反复枚举端口的方式,SOCKS5 认证仍然可以被绕过。SOCKS5 用户名密码认证只能应付一些劣质检测器的劣质检测,对于对付间谍软件是毫无用处的。请不要试图启用 SOCKS5 入站的用户名密码认证和 UDP 支持还妄想这能防止间谍软件探测代理的出口 IP。
间谍软件仍然可以通过调用系统下载器等方式以其他应用的身份发出网络请求,甚至通过浏览器访问间谍网站都有可能“泄露”您的代理 IP。间谍软件仍然有许多方式可以绕过这些简易规避措施。
Exclave 不提供任何担保,也不保证上述简易规避措施可以正常工作,更不想参与这场无休止的猫鼠游戏。
试图对本地软件隐瞒 VPN 或代理存在的事实是不可行的,请不要提出此类功能请求。
Beta Was this translation helpful? Give feedback.
All reactions