[tor-dev] [GSoC 2016] Orfox - Report 2

Nathan Freitas nathan at freitas.net
Fri Jun 17 12:40:58 UTC 2016


On Thu, Jun 16, 2016, at 10:37 PM, Tom Ritter wrote:
> On 16 June 2016 at 18:45, Amogh Pradeep <amoghbl1 at gmail.com> wrote:
> Is a code audit the most efficient and reliable way to look for proxy
> leaks? (At least at this stage?)  

I think he means a few things by this, or at least we have a few tasks
underway:
- mentor (me) reviewing code quality and implementation choices for how
proxy features were added
- inspection of esr45 Android Java code for new network code and other
potentially leaky / deanon features
- review of tor browser, noscript and other mobile relevant extensions
for portability to android


> I would do dynamic analysis by setting up a bridge and a proxy,
> exercising lots of different functionality of the app (HTTP, HTTPS,
> FTP, update checking, safebrowsing disabling/enabling, extension
> installation, extension update checking, extension calls to third
> party APIs, etc), and looking for any traffic not going to the single
> bridge configured.

We use NoRoot firewall on Android for doing this in a quick manner. It
is like LittleSnitch.

Thanks for the feedback Tom!


More information about the tor-dev mailing list