Mobile Location Anonymity: Proxying Twitter, IM, and Email through Tor on Android

Posted February 1, 2013 in crypto mobile tor

Each time your computer makes a connection to a server on the internet, you tell the remote server, as well as your ISP and every router in between, your IP address. If you’re using the internet on your phone you might be disclosing the IP of your 3G or 4G connection, or the IP of the wifi network you’re connected to.

If your phone checks for new emails or tweets every couple minutes, or keeps up a consistent connection to your instant messenger server, any of those services is almost definitely logging a history of your IP addresses.

This IP address data could be used to figure out your physical location over time. This is the information that New York City subpoenaed Twitter for, to get the private messages and IP addresses (read: location data) of Occupy protester Malcolm Harris.

If you use an Android phone, you don’t need to share your IP address with those service providers anymore.

Orbot: Tor for Android

To get started, open up Google Play and go find the app Orbot: Tor on Android (official website).

Orbot in Google Play

When you open Orbot for the first time you’ll see a series of pages. Choose your language and click next until you get to the Permissions page.

Orbot: requesting root

If you don’t have a rooted phone, that’s fine. You just won’t be able to proxy your email through Tor, but Twitter, and IM, and other apps that were designed to work with Orbot will work fine.

If you do have a rooted phone, go ahead and Request Superuser Access.

Orbot: receiving root

If you have given Orbot root access, the next page should be Transparent Proxying. This is one of the coolest features of Orbot. You get to choose which apps on your phone get all of their traffic proxied through Tor, even if those apps don’t support proxy servers.

Transparent proxying in Orbot

You can also choose to proxy all apps through Tor if you want, but keep in mind that everything on your phone will be really, really slow if you do this. Also, you might not want to. Some apps (most apps?) still communicate with their servers over HTTP rather than HTTPS, and when you’re using Tor the exit node can sniff your traffic. Proxying insecure apps over Tor might be a security issue. See Tor and HTTPS to understand exactly how Tor and HTTPS work together.

Go ahead and click “Select Individual Apps for Tor”. A list of all of the apps installed on your system should pop up, with check boxes next to them. You can proxy whatever you want through Tor, but I’m just doing my Email app.

Proxying specific apps

Next, Orbot will show you a list of apps that have been designed to work with Tor. This list includes Gibberbot and Twitter (more about them below), as well as other apps like DuckDuckGo and Firefox.

Click through until you get to the giant button with the pretty background, and start Tor.

Orbot main screen

If you want to change any Tor settings, including the list of apps that you transparently proxy, you can click the settings button on the right side of the top bar.

More About Proxying Email Through Tor

As far as I know, there aren’t any email apps for Android that natively support proxy servers. K-9 Mail, the major free software Android email client, will hopefully implement this soon. There’s a K-9 Google Summer of Code project idea for it, as well as an open bug in their bug tracker. But until that happens, you can only tunnel your email traffic through Tor if you’ve rooted your phone.

Proxying your email is sometimes especially important, depending on your mail server configuration. Some mail servers leak your IP address in the SMTP headers of outbound emails, which means, for example, if you write an email to a public mailing list from your phone, it’s not just your mail server, your ISP, and your government who might learn your IP address. It’s anyone who is subscribed to that mailing list, or is able to download mailing list archives with headers intact.

Tunnel Twitter Through Tor

Twitter has built-in support for proxy servers. Just open up the Twitter app, press the menu button on your phone.

Twitter Menu Button

Open Settings.

Twitter settings

Under advanced, click Proxy and set your proxy settings like this:

Twitter app proxy settings

While you’re in your Twitter settings, make sure “Location: Allow Twitter to use your location” in unchecked, or you’re somewhat defeating the purpose :).

I find that for Twitter, as well as email, proxying through Tor isn’t too slow at all since it’s only sort of real-time. The one exception I’ve noticed is if you’re using a crappy 3G connection and trying to tweet a photograph over Tor. Last time I tried this, it failed each time and I just gave up until I found wifi.

Tunnel Instant Messenger Through Tor, Plus Off-the-Record

Gibberbot is an Android jabber client that has been specifically designed to work with Orbot. And, more excitingly, it’s has Off-the-Record (OTR) end-to-end encryption built-in. This means that you if you’re chatting with other people who use OTR, the contents of your chats are encrypted so that even your chat server can’t see what you’re saying. Of course, you’ll need to verify identities before you can be sure you’re chat conversion is secure.

Other chat clients that support OTR are: Pidgin for Windows and Linux, Adium for Mac OS X, and ChatSecure for iOS.

Gibberbot is an jabber client, which means that it will work with Google Talk or other jabber services that you can create free accounts on, such as jabber.org or jabber.ccc.de. Start by downloading Gibberbot from Google Play.

Gibberbot in Google Play

The first time you open it it will ask your language and then there will be several screens of information. If you’ve never used OTR before, it’s definitely worth a read.

It’s really easy to use Gibberbot over Tor. When you’re adding a new chat account, there’s a “Connect via Tor (Requires Orbot app)” checkbox. Just check that box, and then enter your jabber credentials (such as your Google account username and password), and your connections to your chat server will be proxied through Tor.

Gibberbot login screen

If you do use Google Talk, you might run into trouble with Google rejecting your connection. Google does all sorts of security stuff to prevent your account from getting hacked. If you’ve never logged in to your account from a Tor exit node, it might automatically block the connection until you login to your Google account on a computer and take steps to specifically allow it. This shouldn’t be a problem with other jabber services. If you use another jabber service, such as jabber.org, you will still be able to chat with people who use Google Talk.

Browse the Web Through Tor

In case you want to manually browse the web through to Tor to protect your identity rather than just your location, that’s easy too. Download the Orweb app from Google Play.

Orweb in Google Play

If Orbot is running in the background and you have an active connection to the Tor network, all you have to do to browse the web anonymously from your phone is use Orweb.

Orweb in use