pages tagged androidFeeding the Cloudhttps://feeding.cloud.geek.nz/tags/android/Feeding the Cloudikiwiki2023-10-28T03:06:44ZMonitoring browser network traffic on Android using mitmproxyhttps://feeding.cloud.geek.nz/posts/monitoring-browser-network-traffic-on-android-using-mitmproxy/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2023-10-28T03:06:44Z2023-10-28T03:05:00Z
<p>Using <a href="https://mitmproxy.org/">mitmproxy</a> to intercept your packets is a convenient way to inspect a browser's network traffic.</p>
<p>It's pretty straightforward to setup on a desktop computer:</p>
<ol>
<li><p>Install mitmproxy (<code>apt install mitmproxy</code> on Debian) and start it:</p>
<pre><code> mitmproxy --mode socks5 --listen-port 9000
</code></pre></li>
<li><p>Start your browser specifying the proxy to use:</p>
<pre><code> chrome --proxy-server="socks5://localhost:9000"
brave-browser --proxy-server="socks5://localhost:9000"
</code></pre></li>
<li><p>Add its <a href="https://docs.mitmproxy.org/stable/concepts-certificates/">certificate authority</a> to your browser.</p></li>
</ol>
<p>At this point, all of the traffic from that browser should be flowing
through your mitmproxy instance.</p>
<h1 id="Android_setup">Android setup</h1>
<p>On Android, it's a little less straightforward:</p>
<ol>
<li><p>Start mitmproxy on your desktop:</p>
<pre><code> mitmproxy --mode regular --listen-port 9000
</code></pre></li>
<li><p>Open that port on your desktop firewall if needed.</p></li>
<li>On your Android device, change your WiFi settings for the current access point:</li>
<li>Proxy: Manual</li>
<li>Proxy hostname: <code>192.168.1.100</code> (IP address of your desktop)</li>
<li>Proxy port: <code>9000</code></li>
<li>Turn off any VPN.</li>
<li>Turn off WiFi.</li>
<li>Turn WiFi back on.</li>
<li>Open <a href="http://mitm.it">http://mitm.it</a> in a browser to download the certificate authority file.</li>
<li>Open the system Settings, <em>Security and privacy</em>, <em>More security and
privacy</em>, <em>Encryption & credentials</em>, <em>Install a certificate</em> and finally
choose <em>CA certificate</em>.</li>
<li>Tap <em>Install anyway</em> to dismiss the warning and select the file you just downloaded.</li>
</ol>
<p>Once you have gone through all of these steps, you should be able to monitor
(on your desktop) the HTTP and HTTPS requests made inside of your Android
browsers.</p>
<p>Note that many applications will start failing due to <a href="https://docs.mitmproxy.org/stable/concepts-certificates/#certificate-pinning">certificate
pinning</a>.</p>
Encoding your WiFi access point password into a QR codehttps://feeding.cloud.geek.nz/posts/encoding-wifi-access-point-passwords-qr-code/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2023-04-22T00:01:20Z2019-12-29T03:25:00Z
<p>Up until recently, it was a pain to defend againt <a href="https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Weak_password">WPA2 brute-force
attacks</a>
by using a random 63-character password (the maximum in
<a href="https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Target_users_(authentication_key_distribution">WPA-Personal</a>)
mode). Thanks to Android 10 and iOS 11 supporting reading WiFi passwords
from a QR code, this is finally a practical defense.</p>
<h2 id="Generating_the_QR_code">Generating the QR code</h2>
<p>After installing the <a href="https://packages.debian.org/stable/qrencode"><code>qrencode</code></a>
package, run the following:</p>
<pre><code>qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"
</code></pre>
<p>substituting <code><SSID></code> for the name of your WiFi network and <code><PASSWORD></code> for
the 63-character password you hopefully generated with <code>pwgen -s 63</code>.</p>
<p>If your password includes a semicolon, then escape it like this:</p>
<pre><code>"WIFI:T:WPA;S:<SSID>;P:pass\:word;;"
</code></pre>
<p>since iOS won't support the following (which works fine on Android):</p>
<pre><code>'WIFI:T:WPA;S:<SSID>;P:"pass:word";;'
</code></pre>
<p>The only other pitfall I ran into is that if you include a trailing newline
character (for example piping <code>echo "..."</code> into <code>qrencode</code> as opposed to
<code>echo -n "..."</code>) then it will fail on both iOS and Android.</p>
<p>The full syntax for these WiFi QR codes can be found on the <a href="https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-network-config-android-ios-11">zxing wiki</a>.</p>
<h2 id="Scanning_the_QR_code">Scanning the QR code</h2>
<p>On iOS, simply open the camera app and scan the QR code to bring up a
notification which allows you to connect to the WiFi network:</p>
<p><img alt="" src="https://feeding.cloud.geek.nz/posts/encoding-wifi-access-point-passwords-qr-code/ios_qr_scanner.png" /></p>
<p>On Android, go into the WiFi settings and tap on the WiFi network you want
to join:</p>
<p><img alt="" src="https://feeding.cloud.geek.nz/posts/encoding-wifi-access-point-passwords-qr-code/android_wifi_settings.png" /></p>
<p>then click the QR icon in the password field and scan the code:</p>
<p><img alt="" src="https://feeding.cloud.geek.nz/posts/encoding-wifi-access-point-passwords-qr-code/android_qr_scanner.png" /></p>
<h2 id="In-browser_alternative">In-browser alternative</h2>
<p>If you can't do this locally for some reason, there is also an <a href="https://qifi.org/">in-browser
QR code generator</a> with <a href="https://github.com/evgeni/qifi">source code
available</a>.</p>
Creating a home music server using mpdhttps://feeding.cloud.geek.nz/posts/home-music-server-with-mpd/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2022-09-23T23:30:40Z2017-01-30T06:20:00Z
<p>I recently setup a music server on my home server using the <a href="https://www.musicpd.org/">Music Player
Daemon</a>, a cross-platform <a href="https://www.gnu.org/philosophy/free-sw.html">free
software</a> project which has
been around for a long time.</p>
<h1 id="Basic_setup">Basic setup</h1>
<p>Start by installing the server and the client package:</p>
<pre><code>apt install mpd mpc
</code></pre>
<p>then open <code>/etc/mpd.conf</code> and set these:</p>
<pre><code>music_directory "/path/to/music/"
bind_to_address "0.0.0.0"
bind_to_address "/run/mpd/socket"
password "Password1"
audio_output {
type "alsa"
name "My ALSA Device"
device "hw:CARD=DAC,DEV=0"
mixer_type "software"
}
</code></pre>
<p>Note that you can find the right sound device on your machine using the <code>aplay -L</code> command.</p>
<p>Since this is a headless system setup, it may be necessary to <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959693">disable the user service</a>:</p>
<pre><code>rm /etc/xdg/autostart/mpd.desktop
systemctl --global disable mpd.service
</code></pre>
<p>in order to prevent systemd from launching the mpd service whenever a user
logs in, leading to error messages like:</p>
<pre><code>systemd[324808]: mpd.socket: Failed to create listening socket ([::]:6600): Address already in use
systemd[324808]: mpd.socket: Failed to listen on sockets: Address already in use
systemd[324808]: mpd.socket: Failed with result 'resources'.
systemd[324808]: Failed to listen on mpd.socket.
mpd[324823]: exception: failed to open log file "/var/log/mpd/mpd.log" (config line 39): Permission denied
systemd[324808]: mpd.service: Main process exited, code=exited, status=1/FAILURE
systemd[324808]: mpd.service: Failed with result 'exit-code'.
systemd[324808]: Failed to start Music Player Daemon.
</code></pre>
<p>Once all of that is in place, restart the mpd daemon:</p>
<pre><code>systemctl restart mpd.service
</code></pre>
<p>and create an index of your music files:</p>
<pre><code>MPD_HOST=Password1@/run/mpd/socket mpc update
</code></pre>
<p>while watching the logs to notice any files that the mpd user doesn't have
access to:</p>
<pre><code>tail -f /var/log/mpd/mpd.log
</code></pre>
<h1 id="Enhancements">Enhancements</h1>
<p>I also added the following in <code>/etc/logcheck/ignore.server.d/local-mpd</code> to
silence unnecessary log messages in
<a href="https://packages.debian.org/stable/logcheck">logcheck</a> emails:</p>
<pre><code>^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: Started Music Player Daemon.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: Stopped Music Player Daemon.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ systemd\[1\]: Stopping Music Player Daemon...$
</code></pre>
<p>and created a cronjob in <code>/etc/cron.d/mpd-francois</code> to update the database
daily and stop the music automatically in the evening:</p>
<pre><code># Fix any broken permissions
4 * * * * root find /path/to/music -type d -exec chmod a+rx {} \;
4 * * * * root find /path/to/music -type f -exec chmod a+r {} \;
# Refresh DB once an hour
5 * * * * mpd test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/bin/mpc --quiet update
# Think of the neighbours
0 22 * * 0-4 mpd test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/local/bin/mpc-fade
0 23 * * 5-6 mpd test -r /run/mpd/socket && MPD_HOST=Password1@/run/mpd/socket /usr/local/bin/mpc-fade
</code></pre>
<p>My <a href="https://github.com/fmarier/user-scripts/blob/master/mpc-fade"><code>mpc-fade</code> script</a>,
heavily inspired by <a href="http://guillaumeplayground.net/mpd-mpc-fade-in-out-script/">Guillaume's</a>,
gradually brings the volume down instead of stopping the music abrutly.</p>
<h2 id="Album_covers">Album covers</h2>
<p>In order to supply album cover art to clients which support grabbing covers
from a local web server I have installed
<a href="https://httpd.apache.org/">Apache</a>:</p>
<pre><code>apt install apache2
</code></pre>
<p>and configured it to serve the covers by putting the following in the
default vhost section of <code>/etc/apache2/sites-available/000-default.conf</code>:</p>
<pre><code>Alias /music /path/to/music
<Directory /path/to/music>
Options -MultiViews -Indexes
AllowOverride None
Order allow,deny
allow from all
</Directory>
</code></pre>
<p>Finally, I enabled the new vhost and restarted Apache:</p>
<pre><code>a2ensite 000-default
systemctl restart apache2.service
</code></pre>
<h1 id="Clients">Clients</h1>
<p>To let anybody on the local network connect, I opened <strong>ports 80 and 6600</strong>
on the firewall (<code>/etc/network/iptables.up.rules</code> since I'm using Debian's
<code>iptables-apply</code>):</p>
<pre><code>-A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp --dport 6600 -j ACCEPT
</code></pre>
<p>Then I looked at <a href="http://mpd.wikia.com/wiki/Clients">the long list of clients</a> on the mpd wiki.</p>
<h2 id="Desktop">Desktop</h2>
<p>The official website <a href="https://www.musicpd.org/clients/">suggests two
clients</a> which are available in Debian and
Ubuntu:</p>
<ul>
<li><a href="http://ario-player.sourceforge.net/">Ario</a> (<code>apt install ario</code>)</li>
<li><a href="http://gmpclient.org/">GNOME Music Player Client</a> (<code>apt install gmpc gmpc-plugins</code>)</li>
</ul>
<p>Both of them work well, but haven't had a release since 2011, even though
there is some activity
in <a href="https://sourceforge.net/p/ario-player/code/HEAD/tree/">2013</a>
and <a href="http://repo.or.cz/w/gmpc.git">2015</a> in their respective source control
repositories.</p>
<p>Ario has a simpler user interface but gmpc has cover art download
working out of the box, which is why I might stick with it.</p>
<p>In both cases, it is possible to <a href="https://feeding.cloud.geek.nz/posts/things-that-work-well-with-tor/">configure a polipo
proxy</a>
so that any external resources are fetched via
<a href="https://www.torproject.org/">Tor</a>.</p>
<h2 id="Android">Android</h2>
<p>On Android, I got these two to work:</p>
<ul>
<li><a href="https://f-droid.org/repository/browse/?fdfilter=malp&fdid=org.gateshipone.malp">M.A.L.P.</a> (requires Android 5 or later)</li>
<li><a href="https://f-droid.org/repository/browse/?fdfilter=mpdroid&fdid=com.namelessdev.mpdroid">MPDroid</a></li>
</ul>
<p>I picked M.A.L.P. since it includes a nice widget for the homescreen. In the
profile settings, I enabled <em>Prefer <a href="https://github.com/gateship-one/malp/wiki/FAQ#application-usage">HTTP cover
files</a></em> and
used this URL:</p>
<pre><code>http://192.168.1.2/%d
</code></pre>
<h2 id="iOS">iOS</h2>
<p>On iOS, these are the most promising clients I found:</p>
<ul>
<li><a href="https://github.com/Nyx0uf/MPDRemote">MPDRemote</a> (free software, sold on the <a href="https://itunes.apple.com/us/app/mpdremote/id1202933180?ls=1&mt=8">AppStore</a>)</li>
<li><a href="http://kineticfactory.com/MPDluxe/">MPDluxe</a> (proprietary, sold on the <a href="https://itunes.apple.com/app/mpdluxe/id991758069?mt=8">AppStore</a>)</li>
</ul>
<p>since <a href="http://www.katoemba.net/makesnosenseatall/mpod/">MPoD</a> and
<a href="http://www.katoemba.net/makesnosenseatall/mpad/">MPaD</a> don't appear to be
available on the AppStore anymore.</p>
<p>Of these, MPDRemote appears to be the better one. It also supports album art
if you configure the profile with the following cover URL:</p>
<pre><code>http://192.168.1.2/
</code></pre>
Using OpenVPN on Android Lollipophttps://feeding.cloud.geek.nz/posts/using-openvpn-on-android-lollipop/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2022-11-19T07:11:46Z2015-04-03T03:45:00Z
<p>I use my personal server as a VPN endpoint for my laptop when I'm using untrusted networks and I
wanted to do the same on my Android 5 (Lollipop) phone.</p>
<p>It turns out that it's quite easy to do (doesn't require rooting your phone)
and that it works very well.</p>
<h2 id="Install_OpenVPN">Install OpenVPN</h2>
<p>Once you have <a href="https://feeding.cloud.geek.nz/posts/creating-a-linode-based-vpn-setup-using_openvpn_on_debian_or_ubuntu/">installed and configured OpenVPN on the
server</a>,
you need to install the OpenVPN app for Android (available both on
<a href="https://f-droid.org/repository/browse/?fdid=de.blinkt.openvpn">F-Droid</a> and
<a href="https://play.google.com/store/apps/details?id=de.blinkt.openvpn">Google
Play</a>).</p>
<p>From the <code>easy-rsa</code> directory you created while generating the server keys,
create a new keypair for your phone:</p>
<pre><code>./build-key nexus6 # "nexus6" as Name, no password
</code></pre>
<p>and then copy the following files onto your phone:</p>
<ul>
<li><code>ca.crt</code></li>
<li><code>nexus6.crt</code></li>
<li><code>nexus6.key</code></li>
<li><code>ta.key</code></li>
</ul>
<h2 id="Create_a_new_VPN_config">Create a new VPN config</h2>
<p>If you configured your server as per my instructions, these are the settings
you'll need to use on your phone:</p>
<p>Basic:</p>
<ul>
<li>LZO Compression: <code>NO</code></li>
<li>Type: <code>Certificates</code></li>
<li>CA Certificate: <code>ca.crt</code></li>
<li>Client Certificate: <code>nexus6.crt</code></li>
<li>Client Certificate Key: <code>nexus6.key</code></li>
</ul>
<p>Server list:</p>
<ul>
<li>Server address: <code>hafnarfjordur.fmarier.org</code></li>
<li>Port: <code>1194</code></li>
<li>Protocol: <code>UDP</code></li>
<li>Custom Options: <code>NO</code></li>
</ul>
<p>Authentication/Encryption:</p>
<ul>
<li>TLS Security Profile: <code>preferred</code></li>
<li>Expect TLS server certificate: <code>YES</code></li>
<li>Certificate hostname check: <code>YES</code></li>
<li>Remote certificate subject: <code>server</code></li>
<li>Use TLS Authentication: <code>YES</code></li>
<li>TLS Auth File: <code>ta.key</code></li>
<li>TLS Direction: <code>1</code></li>
<li>Encryption cipher: <code>AES-256-GCM</code></li>
<li>Packet authentication: <code>SHA512</code></li>
</ul>
<p>Advanced:</p>
<ul>
<li>Persistent tun: <code>YES</code></li>
</ul>
<p>That's it. Everything else should work with the defaults.</p>
How to get Android OTA updates from Google on a Galaxy Nexushttps://feeding.cloud.geek.nz/posts/how-to-get-android-ota-updates-from/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2021-06-11T20:43:57Z2012-07-15T06:49:00Z
<p>I got an unlocked GSM <a href="https://en.wikipedia.org/wiki/Galaxy_Nexus">Galaxy Nexus</a> (GT-I9250) phone from Amazon a few months ago and I've been wondering why it was still sitting on Android 4.0.2 (Icecream Sandwich). Looking at "Settings | About phone | System updates" told me that my "system was currently up to date" despite the fact that most of my friends had been running 4.0.4 for a while on their Galaxy Nexus.</p>
<p>It turns out that a colleague of mine, who managed to buy this phone just before <a href="http://www.fosspatents.com/2012/07/galaxy-nexus-ban-remains-in-effect-for.html">Apple got it banned in the US</a>, found the reason: it was set to get over-the-air (OTA) updates from Samsung, not Google. Samsung has been sitting on this one for a while, which isn't great given the <a href="http://android.stackexchange.com/questions/17973/galaxy-nexus-suddenly-restarts">random crash+reboots</a> that seem to occur about once a week on 4.0.2 <img alt=":(" src="https://feeding.cloud.geek.nz/smileys/sad.png" /></p>
<h3 id="Finding_who_delivers_updates_to_your_phone">Finding who delivers updates to your phone</h3>
<p>Apparently there is a text file somewhere on the phone that will tell you whether it is a Google-controlled or Samsung-controlled phone. If you know what file that is, please leave a comment, I couldn't find it. So I ended up temporarily installing <a href="https://play.google.com/store/apps/details?id=com.electricsheep.asi&hl=en">this application</a> (warning: contains gratuitous ads) and looking at the "Brand" field.</p>
<p>Another thing you can look for is whether or not your device is running a "yakju" firmware (see the "Product" field). If it's something like "yakjujp", then you're not with Google and <a href="http://forum.xda-developers.com/showthread.php?p=28005210">updates may not be available</a> yet.</p>
<h3 id="Switching_to_the_standard_Google_firmware">Switching to the standard Google firmware</h3>
<p>In order to get your updates from Google, you can switch to the vanilla "yakju" firmware.</p>
<p>I followed these <a href="http://webtrickz.com/guide-to-update-samsung-galaxy-nexus-yakjuxw-to-android-4-0-4-and-get-future-updates-from-google/">painful Windows instructions</a> while I really should have looked at <a href="http://forum.xda-developers.com/showthread.php?t=1626895">these ones</a> instead (and ignored most of the steps given how much easier this process is on Linux).</p>
<p>The whole procedure can be summarized like this:</p>
<ol>
<li>Backup your phone.</li>
<li>Unlock the boot loader (which erases everything).</li>
<li>Reboot into <a href="http://source.android.com/source/building-devices.html#booting-into-fastboot-mode">fastboot</a> (hold down Volume Up and Volume Down then press the power button).</li>
<li>Flash all of the different firmware images.</li>
<li>Reboot and reinstall/reconfigure apps.</li>
</ol>
<p>In any case, a few hours later, I ended up with a fresh install of the 4.0.4 yakju firmware and an unlocked boot loader. The only thing I haven't been able to do yet is to re-enable full disk encryption. I'm not quite sure why my phone refuses to start the encryption process...</p>
Browsing privacy and ad blocking on Androidhttps://feeding.cloud.geek.nz/posts/browsing-privacy-and-ad-blocking-on/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2021-06-11T20:43:57Z2012-06-11T07:15:00Z
<p>On the desktop, I usually rely on <a href="http://privoxy.org">Privoxy</a> to strip out ads, tracking resources and other privacy-invading elements. So I was looking for an equivalent solution on Android.</p>
<h3 id="Firefox_10">Firefox 10</h3>
<p>With the current version of <a href="https://play.google.com/store/apps/details?id=org.mozilla.firefox">Firefox for Android</a>, you can simply install the <a href="https://addons.mozilla.org/en-US/mobile/addon/adblock-plus/">Adblock Plus</a> extension and it will filter most undesirable elements from webpages.</p>
<p>Unfortunately, that extension is not yet available for the latest <a href="https://play.google.com/store/apps/details?id=org.mozilla.firefox_beta">Firefox Beta</a>, so I had to find another solution.</p>
<h3 id="Android_Adblock">Android Adblock</h3>
<p>It turns out that there is an <a href="https://code.google.com/p/andblock/">Open Source proxy</a> similar to Privoxy (though much more limited in functionality) available for Android: <a href="https://play.google.com/store/apps/details?id=de.ub0r.android.adBlock">Adblock</a> (also available on the <a href="http://f-droid.org">F-Droid</a> Free Software market).</p>
<p>However, its default configuration really doesn't block much and so you'll probably want to import a new blocklist as soon as you install it. I used a combination of the <a href="https://easylist-downloads.adblockplus.org/easylist.txt">Easylist</a> and <a href="https://easylist-downloads.adblockplus.org/easyprivacy.txt">EasyPrivacy</a> blocklists.</p>
<h3 id="Configuring_Fennec_to_use_a_proxy">Configuring Fennec to use a proxy</h3>
<p>Unlike its desktop cousin, Firefox for Android (also called Fennec) doesn't expose proxy settings in the user interface. Instead, you have to open the <code>about:config</code> page and configure the following settings manually:</p>
<pre><code>network.proxy.http = localhost
network.proxy.http_port = 8080
network.proxy.ssl = localhost
network.proxy.ssl_port = 8080
network.proxy.type = 1
</code></pre>
<p>Once you're done, test your connection by going into the AdBlock application and turning the proxy off. Then switch back to Firefox and go to a new website. You should get an error message telling you that the proxy is blocking connections. That means it's successfully using your proxy to talk to other websites and not connecting to them directly.</p>
<p>(It might also be possible to set this up in the default Android browser or in the Chrome for Android Beta, but I haven't been able to find how. Feel free to leave a comment if you know how it's done.)</p>
<h3 id="Bonus_tips">Bonus tips</h3>
<p>While you're at it, I highly recommend you turn on the <a href="http://dnt.mozilla.org/">Do Not Track</a> feature in Firefox. Some large sites (like <a href="https://twitter.com/twitter/statuses/203133041160364033">Twitter</a>) have recently committed to turning off individual tracking on web requests which contain this new privacy header.</p>
<p>Also, if you want to help move the mobile web away from a <a href="http://www.webkit.org/">WebKit</a> monoculture (remember how bad the <a href="http://saveie6.com/">Internet Explorer 6</a> monoculture was for the web?), then please consider joining the <a href="https://wiki.mozilla.org/Mobile/Testdrivers_Program">Mobile Testdrivers</a> team and help us make Firefox rock on Android!</p>