DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
Home Page: https://rethinkfirewall.com/
License: Apache License 2.0
Integrate data-usage API to show per app interval-based data-usage.
This probably needs its own screen? Or could it be neatly tucked away in the Firewall screen?
Also see: issue#3.
Currently, due to ill-explored (androidx?) limitations, the app builds for up to Android 8.
We could go as low as Android 4, but it is decent to aim for Android 6+. And that's what we should do. Probably a week's worth of effort?
On a restart, BraveDNS starts-up to resume VPN services, but it so happens that on ocassion another app takes the VPN over and BraveDNS continues to show "protected/waiting" ("running"), when in fact it wasn't.
Also, add ability for end-users to choose whether BraveDNS must auto-start on reboots.
Explore DNSCrypt support.
anr_2020-08-14-00-46-01-940.txt
08-14 00:46:01.835 1202 1411 W ActivityManager: Timeout executing service: ServiceRecord{f4bea7d u0 com.celzero.bravedns/.receiver.ScreenLockService}
From ANR report:
ScreenLockService tries to GoVpnAdapter#close but couldn't get the lock (the method is synchronized on the instance object:"main" prio=5 tid=1 Blocked
| group="main" sCount=1 dsCount=0 flags=1 obj=0x72f59a78 self=0x700b406c00
| sysTid=17118 nice=0 cgrp=default sched=0/0 handle=0x700c974ed0
| state=S schedstat=( 22272983905 2779119802 17008 ) utm=2004 stm=223 core=6 HZ=100
| stack=0x7ffd049000-0x7ffd04b000 stackSize=8192KB
| held mutexes=
at com.celzero.bravedns.net.go.GoVpnAdapter.close(GoVpnAdapter.java:-1)
- waiting to lock <0x056e5b6f> (a com.celzero.bravedns.net.go.GoVpnAdapter) held by thread 46
at com.celzero.bravedns.service.BraveVPNService.restartVpn(BraveVPNService.kt:511)
- locked <0x06b2f07c> (a com.celzero.bravedns.service.VpnController)
at com.celzero.bravedns.service.BraveVPNService.blockTraffic(BraveVPNService.kt:90)
at com.celzero.bravedns.receiver.ScreenLockService.checkLock(ScreenLockService.kt:69)
at com.celzero.bravedns.receiver.ScreenLockService.onStartCommand(ScreenLockService.kt:32)
at android.app.ActivityThread.handleServiceArgs(ActivityThread.java:4204)
at android.app.ActivityThread.access$2100(ActivityThread.java:231)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1984)
at android.os.Handler.dispatchMessage(Handler.java:107)
at android.os.Looper.loop(Looper.java:214)
at android.app.ActivityThread.main(ActivityThread.java:7682)
at java.lang.reflect.Method.invoke(Native method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:516)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:950)
tid 46 stuck at GoVpnAdapter#updateDohUrl -> Tun2Socks#newDoHTransport run in response to NETWORK_CONNECTED broadcast:"startVpn-onNetworkConnected" prio=5 tid=46 Native
| group="main" sCount=1 dsCount=0 flags=1 obj=0x12f4f118 self=0x700b58a000
| sysTid=19256 nice=0 cgrp=default sched=0/0 handle=0x6f26af9d50
| state=S schedstat=( 748333 2309063 5 ) utm=0 stm=0 core=6 HZ=100
| stack=0x6f269f7000-0x6f269f9000 stackSize=1039KB
| held mutexes=
kernel: (couldn't read /proc/self/task/19256/stack)
native: #00 pc 00000000002ae47c /data/app/com.celzero.bravedns-u5kHoa7fG6gUWrYWidCctA==/base.apk (offset 1f3000) (???)
at tun2socks.Tun2socks.newDoHTransport(Native method)
at com.celzero.bravedns.net.go.GoVpnAdapter.makeDohTransport(GoVpnAdapter.java:220)
at com.celzero.bravedns.net.go.GoVpnAdapter.updateDohUrl(GoVpnAdapter.java:255)
- locked <0x056e5b6f> (a com.celzero.bravedns.net.go.GoVpnAdapter)
at com.celzero.bravedns.service.BraveVPNService.updateServerConnection(BraveVPNService.kt:364)
at com.celzero.bravedns.service.BraveVPNService.access$updateServerConnection(BraveVPNService.kt:55)
at com.celzero.bravedns.service.BraveVPNService$onNetworkConnected$1.run(BraveVPNService.kt:541)
at java.lang.Thread.run(Thread.java:919)
One probable solution (a workaround really) is to use a android.os.Handler to deal with communication happen from a service-thread aloof from BraveVPNService, like in androidxref.com/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java.
Trackers blocked percentage is shown wrongly when it crosses the threshold value.
A watchdog or a process supervisor that monitors for presence of an active VPN service.
This could be achieved using periodic calls through alarm manager or scheduled task that runs a heartbeat every 30s and signals for a restart if need be?
This is very pi-hole-esque feature request. May or may not be in-line with PlayStore's terms of use.
Basically, add a block / unblock action next to every DNS log entry; and build a local blocklist that way. This feature might be confusing, since a user can't really "unblock" a domain blocked by AdGuard DNS, for example.
Add ability to set / unset a http-proxy endpoint. This must be a straight-forward as setting it: VpnService.Builder#setHttpProxy(android.net.ProxyInfo)?
See: #45 (which forwards packets to a proxy; may be a SOCKS5 or HTTPS proxy, too)
Round-robin DNS requests to a list of servers (grouped by categories: Family, Security, No filter etc) instead of just one.
BraveDNS resolver has been running since forever. Add the now-live free endpoint [0] as a default resolver in the app.
[0] https://free.bravedns.com/dns-query
Explore multi-apk: developer.android.com/studio/configure-apk-splits.
Enabled tree-shaking (Material Design library in particular might be a bit of a road-block here): developer.android.com/studio/shrink-code.
Refactor the current Firewall screen to rid of two different app lists and possibly merge them into one single list. This has been a source of lot of pain in terms of handling Category-wise allow/disallow. Merging the lists would simplify the confusing UI and as a bonus simplify the existing business logic.
BraveVPNService#isUidBlocked needs to account for the fact that there can be multiple packages (apps) with the same uid. See: PackageManager#getPackagesForUid.
A consistent behaviour would be:
A VPN settings screen to:
Block all internet traffic (apart from what's on a whitelist).
Block all traffic on port 80 / 443.
Block all UDP traffic / block all TCP traffic.
Provide a way for user to edit DNS over HTTPS endpoint.
Add support for shadowsocks. Possibly refer outline-client for a how-to esp since it uses the same underlying outline-go-tun2socks library as Intra and BraveDNS.
Apps may bypass DNS blocks by using a DNS over HTTPS (DoH) provider of their own choosing. Block those ONLY on user-prompt. A UI can be reactive: Show an alert on home-screen that use of foreign DNS provider has been detected and that the user can choose to stop that from happening so in the future.
Apps relying on plain old-DNS are already trapped since VPN blanket relays all traffic on port 53 (unlike Intra) to DoH servers. There's a small matter of #33 (VPN bypass too).
Incomplete list: github/curl/wiki/DNS-over-HTTPS.
OkHttp3: okhttp3/dnsoverhttps/DohProviders.java.
Also see: #25
Track and log an app's incoming and outgoing connections, show consolidated reports to the user.
ConnTrack for DNS UDP would be a heuristic:
Need a new alerts screen? This is likely going involve adding a new screen and so, see also: Refactor the current Firewall screen to rid of two different app lists and possibly merge them into one single list.
Crash log:
08-09 04:23:35.661 11049 13207 F libc : Fatal signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0xf2ff004000000001 in tid 13207 (Thread-18), pid 11049 (elzero.bravedns)
08-09 04:23:35.984 14998 14998 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-09 04:23:35.984 14998 14998 F DEBUG : Revision: '0'
08-09 04:23:35.984 14998 14998 F DEBUG : ABI: 'arm64'
08-09 04:23:35.985 14998 14998 F DEBUG : Timestamp: 2020-08-09 04:23:35+0530
08-09 04:23:35.985 14998 14998 F DEBUG : pid: 11049, tid: 13207, name: Thread-18 >>> com.celzero.bravedns <<<
08-09 04:23:35.985 14998 14998 F DEBUG : uid: 10416
08-09 04:23:35.985 14998 14998 F DEBUG : signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0xf2ff004000000001
08-09 04:23:35.985 14998 14998 F DEBUG : x0 0000007d913d5b08 x1 0000007d998ee7e0 x2 0000007e8ddd0600 x3 0000007d918f9a2c
08-09 04:23:35.985 14998 14998 F DEBUG : x4 000000000000076c x5 0000007d918f9a44 x6 000000000000076c x7 f2ff004000000001
08-09 04:23:35.985 14998 14998 F DEBUG : x8 00000000076c0000 x9 00000000076c0000 x10 0000000000000066 x11 000000000000007a
08-09 04:23:35.985 14998 14998 F DEBUG : x12 0000000000000001 x13 0000007d90e09c40 x14 0000000000000000 x15 0000007d91487475
08-09 04:23:35.985 14998 14998 F DEBUG : x16 0000007e8af068f0 x17 0000007e8aef8070 x18 0000007d54be6000 x19 0000007e8ddd0600
08-09 04:23:35.985 14998 14998 F DEBUG : x20 0000000000000014 x21 0000007d918f9630 x22 0000000000000000 x23 0000007d918f9a08
08-09 04:23:35.985 14998 14998 F DEBUG : x24 0000004000436c00 x25 0000007d918f9630 x26 0000007d9158b250 x27 0000000000000010
08-09 04:23:35.985 14998 14998 F DEBUG : x28 0000004000082f00 x29 0000007d90e09c00
08-09 04:23:35.985 14998 14998 F DEBUG : sp 0000007d90e09bc0 lr 0000007d913e50ac pc f2ff004000000001
08-09 04:23:35.986 14998 14998 F DEBUG :
08-09 04:23:35.986 14998 14998 F DEBUG : backtrace:
08-09 04:23:35.986 14998 14998 F DEBUG : #00 pc f2ff004000000001 <unknown>
08-09 04:23:35.987 14998 14998 F DEBUG : #01 pc 00000000005d70a8 /data/app/com.celzero.bravedns-spvz9uRBb9GpyyDC9xqYkA==/base.apk (offset 0x214000) (ip4_input+476)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: FATAL EXCEPTION: main
08-09 04:24:56.036 15136 15136 E AndroidRuntime: Process: com.celzero.bravedns, PID: 15136
08-09 04:24:56.036 15136 15136 E AndroidRuntime: java.lang.RuntimeException: Error receiving broadcast Intent { act=android.intent.action.SCREEN_OFF flg=0x58200010 } in com.celzero.bravedns.service.BraveScreenStateReceiver@a18c932
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.app.LoadedApk$ReceiverDispatcher$Args.lambda$getRunnable$0$LoadedApk$ReceiverDispatcher$Args(LoadedApk.java:1575)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.app.-$$Lambda$LoadedApk$ReceiverDispatcher$Args.run(Unknown Source:2)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:883)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:100)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.os.Looper.loop(Looper.java:214)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.app.ActivityThread.main(ActivityThread.java:7682)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at java.lang.reflect.Method.invoke(Native Method)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:516)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:950)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: Caused by: m.a
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at com.celzero.bravedns.service.BraveScreenStateReceiver.onReceive(:14)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: at android.app.LoadedApk$ReceiverDispatcher$Args.lambda$getRunnable$0$LoadedApk$ReceiverDispatcher$Args(LoadedApk.java:1560)
08-09 04:24:56.036 15136 15136 E AndroidRuntime: ... 8 more
--------- beginning of system
And this log may be relevant which precedes the crash log:
08-09 21:19:44.968 1310 1878 D ConnectivityService: Removing iface tun0 from network 118
08-09 21:19:44.968 730 1281 D NetlinkEvent: Unknown ifindex 109 in RTM_DELADDR
08-09 21:19:44.991 1310 1878 E ConnectivityService: Exception in removeRoute: java.lang.IllegalStateException: android.os.ServiceSpecificException: No such device (code 19)
08-09 21:19:44.992 1310 1878 I chatty : uid=1000(system) ConnectivitySer identical 1 line
08-09 21:19:44.993 1310 1878 E ConnectivityService: Exception in removeRoute: java.lang.IllegalStateException: android.os.ServiceSpecificException: No such device (code 19)
08-09 21:19:44.993 1310 1878 I Nat464Xlat: Android Xlat enabled is doXlat = true
08-09 21:19:45.082 1310 1878 D ConnectivityService: Adding iface tun0 to network 118
08-09 21:19:45.170 1310 1878 D ConnectivityService: Removing iface tun1 from network 118
08-09 21:19:45.170 730 1281 D NetlinkEvent: Unknown ifindex 110 in RTM_DELADDR
08-09 21:19:45.196 1310 1878 E ConnectivityService: Exception in removeRoute: java.lang.IllegalStateException: android.os.ServiceSpecificException: No such device (code 19)
08-09 21:19:45.196 1310 1878 I chatty : uid=1000(system) ConnectivitySer identical 1 line
08-09 21:19:45.197 1310 1878 E ConnectivityService: Exception in removeRoute: java.lang.IllegalStateException: android.os.ServiceSpecificException: No such device (code 19)
08-09 21:19:45.197 1310 1878 I Nat464Xlat: Android Xlat enabled is doXlat = true
08-09 21:19:45.598 1310 3078 E OPBF : mImportantUids change mLastImportantUids =[10416, 10086, 10169, 10107, 10109] mImportantUids = [10416, 10086, 10107, 10109]
08-09 21:19:45.628 1310 3078 E OPBF : mImportantUids change mLastImportantUids =[10416, 10086, 10107, 10109] mImportantUids = [10416, 10107, 10109]
08-09 21:19:45.754 1310 3078 E OPBF : mImportantUids change mLastImportantUids =[10416, 10107, 10109] mImportantUids = [10416, 10109]
08-09 21:19:45.766 1310 1878 D ConnectivityService: Blocked status changed to true for 10107(168) on netId 118
08-09 21:19:45.766 1310 1878 D ConnectivityService: Blocked status changed to true for 10107(169) on netId 118
08-09 21:19:45.766 1310 1878 D ConnectivityService: Blocked status changed to true for 10107(170) on netId 118
08-09 21:19:45.767 1310 1878 D ConnectivityService: Blocked status changed to true for 10107(171) on netId 118
08-09 21:19:47.474 1310 1415 D ExtBatteryStatsService: @@@@ awaitUninterruptibly in 80 ms
08-09 21:19:47.476 1310 1415 D ExtBatteryStatsService: ext-flush too soon, skip
08-09 21:19:48.650 29985 30518 F libc : Fatal signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0xedca004000000001 in tid 30518 (Thread-23), pid 29985 (elzero.bravedns)
Users should be able to add apps to categories they can define. Today, the app-categories are preset as retrieved from PackageManager.
When the app is downloaded from the website, it should then be okay to update the app by checking with the server periodically.
For a variation of this refer: Gedsh/InviZible/pan/alexander/tordnscrypt/update/UpdateService.java (GPL v3).
the connect / disconnect on the home-screen is confusing given the not-so-aptly worded toast message shown ("Firewall mode is not enabled" / "DNS mode is not enabled") when in "disconnected" state to the the user when they click on "Configure firewall" or "View logs".
Find a way to be consistent about it.
Also, some find "Disconnect / Connect" misleading since there's no real "connection" to anything anywhere, at least in the traditional VPN sense.
The app should be able to:
localhost:port.host:port.SOCKS5 or HTTPS proxies. This would enable BraveDNS to forward connections to some VPNs (that support SOCKS5) and Orbot.Ref: Proxy mode in InviZible.
We left out system apps because they end up causing more confusion (there are too many and some even critical), but that has meant leaving out other pre-installed apps too.
Users want to firewall those pre-installed System Apps predominantly because they can't be uninstalled (in some cases, can't even be disabled). Probably show as a separate category? Or, show only when a specific UI is toggled to view System Apps (like in NetGuard)?
BraveVPNService#block will not block any app on Android versions below 10.
This needs to be fixed: On Android versions below 10 uid is retrieved from proc/net/[tcp|udp] to find owner of any given connection See: #1
At least two crashes in space of 12 hours, both in the LwIP stack of gotun2socks presumably because some tcp state has gone whack.
I am starting to think that we do not terminate the connection like we normally should (Android's implementation indicates it relies on PROHIBIT response from the Kernel to terminate connections). A gentle tcpConn.Close might not be enough and a tcpConn.Abort might be of order.
The implementation differences in go-tun2socks for tcpConn.Close and tcpConn.Abort do reveal stark differences, the primary is that conn.state isn't updated in the former case whilst it is set to tcpAborting in the latter case.
Further more, tcpConn.Abort is what go-tun2socks uses to rid of connection when there's any err reported by the registeredTCPHandler.
Crashes (both happened after firewall was relaxed after a screen-on event):
No. 1
08-16 08:10:03.576 23934 23934 E chromium: [0816/081003.575374:ERROR:elf_dynamic_array_reader.h(61)] tag not found
08-16 08:10:03.584 15668 16890 E GoLog : [0816/081003.575374:ERROR:elf_dynamic_array_reader.h(61)] tag not found
08-16 08:10:03.594 15668 16867 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x31f000001b9 in tid 16867 (Thread-24), pid 15668 (elzero.bravedns)
08-16 08:10:03.736 2152 2152 E ndroid.systemu: Invalid ID 0x00000000.
08-16 08:10:03.797 23937 23937 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstone
08-16 08:10:03.800 1259 1259 I /system/bin/tombstoned: received crash request for pid 16867
08-16 08:10:03.802 23937 23937 I crash_dump64: performing dump of process 15668 (target tid = 16867)
08-16 08:10:03.809 23937 23937 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-16 08:10:03.809 23937 23937 F DEBUG : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2005052051:user/release-keys'
08-16 08:10:03.809 23937 23937 F DEBUG : Revision: '0'
08-16 08:10:03.809 23937 23937 F DEBUG : ABI: 'arm64'
08-16 08:10:03.809 23937 23937 F DEBUG : Timestamp: 2020-08-16 08:10:03+0530
08-16 08:10:03.809 23937 23937 F DEBUG : pid: 15668, tid: 16867, name: Thread-24 >>> com.celzero.bravedns <<<
08-16 08:10:03.809 23937 23937 F DEBUG : uid: 10421
08-16 08:10:03.809 23937 23937 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x31f000001b9
08-16 08:10:03.809 23937 23937 F DEBUG : x0 0000006f1a6ea600 x1 0000000000000000 x2 00000040004bfea0 x3 0000000000000003
08-16 08:10:03.809 23937 23937 F DEBUG : x4 0000000000000160 x5 0000004000297e90 x6 000000700c853000 x7 0000000000f421c2
08-16 08:10:03.809 23937 23937 F DEBUG : x8 0000006f1a7aac14 x9 000000000000000c x10 0000000000000002 x11 0000000000000030
08-16 08:10:03.809 23937 23937 F DEBUG : x12 0000000000a56b80 x13 00000003e8000000 x14 00044460ac096168 x15 0000a507849446f3
08-16 08:10:03.809 23937 23937 F DEBUG : x16 000000700870f8f0 x17 0000007008701070 x18 0000006ec0bea000 x19 0000006f1a6ea600
08-16 08:10:03.809 23937 23937 F DEBUG : x20 0000031f000001a4 x21 0000006f27239aa0 x22 0000006f27239ab0 x23 0000006f1a7aaa00
08-16 08:10:03.809 23937 23937 F DEBUG : x24 0000006f27239aa0 x25 0000006f26d1d394 x26 0000000000000000 x27 0000000000000010
08-16 08:10:03.809 23937 23937 F DEBUG : x28 0000004000182900 x29 0000006ec2837b90
08-16 08:10:03.809 23937 23937 F DEBUG : sp 0000006ec2837b70 lr 0000006f26d16418 pc 0000006f26d197b4
08-16 08:10:03.809 23937 23937 F DEBUG :
08-16 08:10:03.809 23937 23937 F DEBUG : backtrace:
08-16 08:10:03.809 23937 23937 F DEBUG : #00 pc 00000000005d47b4 /data/app/com.celzero.bravedns-S0OlU-rPT9myMvnoLKv6fQ==/base.apk (offset 0xb000) (tcp_process_refused_data+32)
No. 2
08-16 02:55:23.658 19089 19580 F libc : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6d80003e7e0000 in tid 19580 (Thread-24), pid 19089 (elzero.bravedns)
08-16 02:55:24.004 4726 4726 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-16 02:55:24.004 4726 4726 F DEBUG : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2005052051:user/release-keys'
08-16 02:55:24.004 4726 4726 F DEBUG : Revision: '0'
08-16 02:55:24.004 4726 4726 F DEBUG : ABI: 'arm64'
08-16 02:55:24.004 4726 4726 F DEBUG : Timestamp: 2020-08-16 02:55:24+0530
08-16 02:55:24.005 4726 4726 F DEBUG : pid: 19089, tid: 19580, name: Thread-24 >>> com.celzero.bravedns <<<
08-16 02:55:24.005 4726 4726 F DEBUG : uid: 10419
08-16 02:55:24.005 4726 4726 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6d80003e7e0000
08-16 02:55:24.005 4726 4726 F DEBUG : x0 0000004000410000 x1 0000006f080e9e30 x2 000000400040fab0 x3 0000004000183980
08-16 02:55:24.005 4726 4726 F DEBUG : x4 0000000000000550 x5 0000004000293a10 x6 0000000000000001 x7 3e6d80003e7e0000
08-16 02:55:24.005 4726 4726 F DEBUG : x8 3e6d80003e7e0000 x9 000000400040fb38 x10 0000000000000001 x11 0000000000000000
08-16 02:55:24.005 4726 4726 F DEBUG : x12 0000000000000001 x13 0000006f753b49f0 x14 0000000000000000 x15 0000006f08185352
08-16 02:55:24.005 4726 4726 F DEBUG : x16 0000000000000028 x17 00000070087018b8 x18 0000006f068e6000 x19 000000400040fb38
08-16 02:55:24.005 4726 4726 F DEBUG : x20 0000004000410000 x21 000000400040fe68 x22 3e6d80003e7e0000 x23 0000000000000000
08-16 02:55:24.005 4726 4726 F DEBUG : x24 ffffffffff01ef34 x25 ffffffffdd15b299 x26 0000006f753b4a78 x27 0000000000000010
08-16 02:55:24.005 4726 4726 F DEBUG : x28 0000004000183980 x29 0000006f753b49e0
08-16 02:55:24.005 4726 4726 F DEBUG : sp 0000006f753b49c0 lr 0000006f080e9e48 pc 0000006f080e9e50
08-16 02:55:24.005 4726 4726 F DEBUG :
08-16 02:55:24.005 4726 4726 F DEBUG : backtrace:
08-16 02:55:24.005 4726 4726 F DEBUG : #00 pc 00000000005e3e50 /data/app/com.celzero.bravedns-5afKeEOsjeGWhPeagQnD6Q==/base.apk (offset 0x218000) (_cgo_00fc4845cc21_Cfunc_get_conn_key_val+32)
This goes against Google Play Store policies so might need two versions if we implement this.
Blokada does this quite successfully: a lite version for the play store and a full version on f-droid.
This likely involves syncing lists from remote, making sure memory usage is kept under control (some lists have a million or more entries), showing related statistics (which lists blocked an endpoint, which lists are more effective), and offering counter actions (whitelists).
A lot of work.
For a VPN masking as a firewall, it is suicidal to let apps bypass it: BraveVPNService.kt#L178.
Private DNS (supported on Android 9+), when set causes the system to ignore's VPN's DNS endpoint. This means, the app cannot effectively run or capture or block DNS requests at all.
Either find a way to bypass Private DNS, or disable the DNS option in the homescreen when Private DNS is set.
Private DNS is detectable through LinkProperties#isPrivateDnsActive and could be fetched either from LinkProperties#getPrivateDnsServerName or LinkProperties#getDnsServers.
LinkProperities are updated on private dns changes as seen in the log below. Check if there's a broadcast or for Vpn to find out when such changes happen.
08-14 19:05:19.633 2588 3648 D QCNEJ/WlanStaInfoRelay: Updating link properties: {InterfaceName: wlan0 LinkAddresses: [ 0000::0000:0000:0000:1ac4/64,192.168.1.5/24 ] DnsAddresses: [ /1.1.1.1,/176.103.130.130 ] UsePrivateDns: true PrivateDnsServerName: dns.adguard.com ValidatedPrivateDnsAddresses: [176.103.130.130] Domains: null MTU: 0 TcpBufferSizes: 524288,1048576,4194304,524288,1048576,4194304 Routes: [ fe80::/64 -> :: wlan0,::/0 -> 0000::0000:0000:0000:1ac4 wlan0,192.168.1.0/24 -> 0.0.0.0 wlan0,0.0.0.0/0 -> 192.168.1.1 wlan0 ]}
Total connections per app per week. #98
Domain requests blocked grouped by
a. category (gambling, social media, family etc)
b. list-name (stevenblack, adguard, disconnect etc)
c. per-app
transport+port to protocol mapping, for example: UDP/53 -> DNS, TCP/443 -> HTTPS (these aren't really guaranteed to be accurate especially for apps that don't respect reserved ports, but are useful nonetheless). Ref.
Prevent changing the DNS for a second or two.
One way would be to disable the DNS changer drop-down (spinner) for a second or so.
Currently, the battery consumption is uber high. Power consumption hasn't been analyzed but it highly likely it is due to all the traffic filtering that occurs in the name of Firewall and the full-tunnel VPN in-use (routing 0.0.0.0).
If the user needs just the DNS (without firewall), probably it is best to add only port 53 (split-tunnel) to the routes when vpn-service is built / started / re-started. This might be a preferable default, too?
If the user just needs Firewall (without connection tracking #3 and #16 and DNS), VPN could be run as a blackhole (without creating a forwarding tunnel) wherein all incoming packets from allowed apps end up going exactly no where.
Kill apps that are firewalled. The connections from the app are blocked anyway and so if those apps aren't in the foreground they only end up draining extra power by retrying repeatedly to connect.
The UI might be tricky to get right, I am thinking, probably a user preference in the DNS and Firewall screen to enable low battery mode, with a prompt on the homescreen with a clickable chip to enable it (when device battery is low).
Device was connected to WiFi without internet connectivity when this happened:
tombstone_05.txt
logcat.txt (enc)
08-14 00:48:32.879 20806 20806 F DEBUG : * * * * * * * * * * * * * * * *
08-14 00:48:32.879 20806 20806 F DEBUG : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2005052051:user/release-keys'
08-14 00:48:32.879 20806 20806 F DEBUG : Revision: '0'
08-14 00:48:32.879 20806 20806 F DEBUG : ABI: 'arm64'
08-14 00:48:32.879 20806 20806 F DEBUG : Timestamp: 2020-08-14 00:48:32+0530
08-14 00:48:32.879 20806 20806 F DEBUG : pid: 20422, tid: 20794, name: magnifier pixel >>> com.celzero.bravedns <<<
08-14 00:48:32.879 20806 20806 F DEBUG : uid: 10417
08-14 00:48:32.879 20806 20806 F DEBUG : signal 35 (<debuggerd signal>), code -1 (SI_QUEUE), fault addr --------
08-14 00:48:32.879 20806 20806 F DEBUG : Abort message: 'failed to exchange ownership of file descriptor: fd 66 is owned by ParcelFileDescriptor 0x2543d17, was expected to be unowned'
08-14 00:48:32.879 20806 20806 F DEBUG : x0 0000000000000000 x1 000000000000513a x2 0000000000000023 x3 0000006f2725ea90
08-14 00:48:32.879 20806 20806 F DEBUG : x4 786520736177202c x5 786520736177202c x6 786520736177202c x7 7420646574636570
08-14 00:48:32.879 20806 20806 F DEBUG : x8 00000000000000f0 x9 9d11563a70905f72 x10 0000000000000000 x11 000000700863a1ef
08-14 00:48:32.879 20806 20806 F DEBUG : x12 6562206f74206465 x13 64656e776f6e7520 x14 0000006f2725e657 x15 0000000000000000
08-14 00:48:32.879 20806 20806 F DEBUG : x16 000000700870f8c0 x17 00000070086eb900 x18 0000006ece35a000 x19 0000000000004fc6
08-14 00:48:32.879 20806 20806 F DEBUG : x20 000000000000513a x21 0000006f27260020 x22 000000700c9648f4 x23 0000000000000001
08-14 00:48:32.879 20806 20806 F DEBUG : x24 0000006f2725e880 x25 0000006f2725e800 x26 0000006f2725e7c0 x27 0000000000000000
08-14 00:48:32.879 20806 20806 F DEBUG : x28 0000000000000000 x29 0000006f2725eb70
08-14 00:48:32.879 20806 20806 F DEBUG : sp 0000006f2725e740 lr 00000070086a06d8 pc 00000070086a06f8
Android's fdsan documentation says this could be due to a double-free (ParcelFileDescriptor#close called twice or more) or use-after-free (PraceFileDescriptor was closed yet used elsewhere) bug.
Blacklist IP addresses (ranges) and ports (ranges).
Let users block IPs and Ports they see in the Network Monitor screen.
Provide a dedicated interface to choose IPs and Ports and show the existing rules, too, in addition to it.
Consequently, an IPs and Ports whitelist is also required. This will be fun.
Apparently, if the app targets API Level <28, it could still access procfs just fine which'd help build dual mode DNS + Firewall for Android versions lower than 10.
Investigate and implement.
OpenSnitch might serve as a good golang + procfs reference point on how to tie an app with the TCP connections.
Like the DNS log screen, there needs to be an indicator of how many apps are blocked, connections blocked, and so on in the main configure firewall screen. Also, may be, arrange the list to keep blocked apps at the top, and the rest at the bottom (See: Glasswire)?
User's want a whitelist feature for universal firewall, that is, they want to exclude certain apps from it. A decent ask. Requires a UI change, probably, even moving the Universal Firewall to its own window, separate from the current lone "Firewall" window.
Come up with a way to let users disable the firewall and DNS temporarily for up to a pre-determined time limit.
From the home-screen.
Via the notifications bar actions, if possible.
Figure out a way to selectively block certain apps either on a schedule or for the next few user-chosen minutes / hours.
The UX is going to be a real challenge for this one.
See: #63
Currently, there's no way to filter just the blocked traffic on the app. Provide a way to filter blocked traffic vs all traffic on the DNS log page.
Add an indicator to the entry against blocked DNS traffic (with a "red" border or some such) to distinguish it from allowed DNS traffic.
Users want to be able to exclude apps from the VPN.
I guess we need to create a separate "settings" screen for this and other related VPN settings...?
Need to prompt the user to disable battery optimization on the app.
NetGuard does this.
The firewall mode shouldn't block localhost TCP and UDP.
May be it also shouldn't block connections on the private IPv4 (v6 isn't supported) space? May be it should.
Interestingly, some folks want to block all LAN traffic. So, that should be an option too?
Discuss.
Required for users of BraveDNS, the resolver, for:
ScreenLockService responsible for enforcing universal-firewall rule "block all apps on device locked" is started in response to ACTION_SCREEN_OFF broadcast and never goes away after that:
08-16 01:45:34.834 1202 1411 W ActivityManager: Stopping service due to app idle: u0a419 -53m32s838ms com.celzero.bravedns/.receiver.ScreenLockService
stopSelf the service once ScreenLockService is done setting the universal firewall rule.
A BroadcastReciever listening on ACTION_USER_PRESENT_BROADCAST undoes any universal firewall rules ScreenLockService might have set.
The current implementation relies on AndroidManifest / PackageManager to categorize apps which is sadly broken.
Cloak tunnels make traffic look like HTTPS. The client can run as a proxy on localhost. With #45 it should be possible to forward traffic to Cloak, too.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.