Monday, August 27, 2012

SSH, Android and Security without Root

Maybe I'm a bit paranoid but I've always been a little worried about rooting my Galaxy Nexus phone.  I've got a lot of secure material attached to my phone and the security risk associated with rooting my phone is not a chance I want to take.



While I feel safer without having my phone rooted, it means that I have to be more creative with trying to implement some of the ideas that I have.  One of the big things I wanted to accomplish was setting up an SSH tunnel back to my home computer so that any time I might be on a public wifi network, I know that all of my browsing material would be encrypted.

For those of you who might be new to security, SSH is a protocol that allows you to connect in an encrypted environment back with your home computer.  By sending all of my web requests through the SSH tunnel, it will be encrypted and therefore secure on the public wifi network I might be on.

Before we get started, let me describe my equipment.

Phone: Galaxy Nexus (running android - jelly bean 4.1.1)
Computer: iMac
Router: Airport Extreme (if you are using a router to connect to the internet you will need to set up port forwarding)

Enable SSH on your Home Computer and setup Port Forwarding

I will be describing the setup using my iMac running Mac OS X v 10.7.4.  If you are running windows, you will need to figure out the steps yourself, however, the ideas should be the same.

It is important that we first select a static IP for use with the home computer.  If the IP of your home computer is always changing, you will not be able to properly set up port forward.

Set a Static IP

1.  Click on settings/network

2.  Go to Advanced/TCP/Ip and select manual configuration, select an IP address that is in your home network.  The other option is to go to your airport extreme or router and have it set up a static ip upon DHCP request for that particular machine.  The important thing is that the IP address of your home computer does not change!

Enable SSH

3.  Click on setting/sharing

4.  Turn on Remote Login

Enable Port Forwarding

5.  If you are not using a router you may skip this step.  If you are using a router it is important that you set up a port forward so that requests to your router get passed through to your computer running the ssh.  Unfortunately there are just too many different types of routers for me to go through each set of instruction so just figure it out yourself.  I myself prefer to forward a non standard port to the port 22 (ssh port) of my home computer.  I usually will not use the port 22 as I find it might be more secure to not advertise you are running an ssh server.

Get an SSH Client for your Android and setup up a Secure SSH Tunnel

My favorite piece of SSH software for the android is connectbot.  I'm sure there are others you can use as well.  The best thing is we do not need a rooted phone for any of the steps that we are doing.

Download Connectbot for Android 



6.  Go to Google Play and get Connectbot for your android phone.  In my opinion this is the best software out there to create a secure ssh tunnel.

7.  Add your new ssh server (the ip address will be whatever your internet ip address is and select the port that you decided to open to the public that will forward to port 22 of your home computer).  At this point you should be able to test your connection.  It will ask for your username/password of your home computer.  If you are unable to connect, STOP HERE and figure out what is wrong.  Chances are your port forwarding is not correct or you're trying to connect to the wrong IP address.  If you can not connect there is no point in moving on from here until you figure it out.  If you do connect, it should bring you to a command line, at which point you know everything is set up correctly.  Now its time to move on to the fun stuff.

Set up your Browser to use the secure tunnel.

We will be setting up SOCKS in order to browse the web through our tunnel.

8.  Now that we know we have a connection that works, feel free to create some port forwarding to make use of the secure connection.  Let's start with SOCKS.  Edit Port Forwarding (in connectbot) and add Type Dynamic (SOCKS) and use a source port of 8080 (or select your own).

9.  The only browser that I have found so far that works with SOCKS on the android is Firefox so grab yourself a copy.  The SOCKS setup with firefox is not obvious and not part of the UI so you have to be sneaky.  It took me awhile to figure out this part.  Go in to your firefox and type in about:config into the tool bar.  Search for proxy.



10.  Change the following!

network.proxy.socks 127.0.0.1
network.proxy.socks_port 8080 (or whatever you picked)
network.proxy.socks_remote_dns true
network.proxy.socks_version 4 (I believe that the MAC will only allow you to use 4.  Not positive on this)
network.proxy.type 1

11.  Disconnect and reconnect with your connect bot (it should port forward 8080 to socks) and now open firefox.  It should allow you to browse the web.  To test that it is truly using the socks/secure connection, turn off connectbot in the background, go back to firefox and it should cause your browsing to stop working.  If all goes according to plan, congratulations, you now have an SSH tunneled socks connection for secure browsing.  All browsing traffic in firefox is being routed through the SSH connection.

Now it's time for some more fun!  How about getting your desktop on your phone with a secure connection.

Set up VNC to use through your secure SSH session.

12.  First we need to go back and turn on VNC before we can do this go to setting/sharing on your MAC and enable remote management.

13.  Under remote management click on settings and turn on VNC viewers may control screen with password, Pick a password!  This will open up a VNC server on your computer (port 5900).   While the port will be open, it will only be to your internal network at this point.

14.  We need to set up another port forward under our SSH connection on our phone.  Select Type: Local Source port 5900 and destination localhost:5900.  This will allow requests to 127.0.0.1:5900 on our phone to go through the tunnel to our home computer.

15.  Get VNC software for the phone.  My favorite is JUMP desktop, but feel free to pick whatever you want.  You do not need to enable SSH in the VNC software as we are already dealing with it with connectbot.  All you need to do is connect to 127.0.0.1 port 5900 with the software and if connectbot is running you should be good.  Welcome to secure VNC.  Once again, if you want to test that it is working, feel free to turn off connectbot in the background and see if your VNC is still working, it shouldn't be.

At this point hopefully you are starting to see all of the stuff you can still accomplish without a rooted phone.  The two options I've told you about are only the beginning of what is possible.  I use my SSH to access my private webserver/uTorrent software/many other things.  I also use SSH for all file transfers.  If you want to set up secure file transfers, just get software on your phone like AndFTP and SFTP to your home computer.  If you have SSH open, SFTP is all ready to go, just type the IP of your home computer and select the port you opened earlier in the tutorial.

If you have any questions or seem to be stuck with anything feel free to leave a comment and I will see if I can help you out!  Remember that it will ONLY be the traffic that is routed through your SSH that will secure.  If you want a more comprehensive solution so that ALL traffic of EVERY app is forwarded through your SSH, you will need to root your phone and look at getting different software.

3 comments: