[tor-talk] Nice to meet you! / WhatsApp by Tor?

Mirimir mirimir at riseup.net
Thu Apr 18 00:31:43 UTC 2019


On 04/17/2019 08:19 AM, GTI .H wrote:
> Em ter, 16 de abr de 2019 às 17:26, Mirimir <mirimir at riseup.net> escreveu:
> 
>> On 04/16/2019 12:39 PM, GTI .H wrote:
>>> Em ter, 16 de abr de 2019 às 13:36, Mirimir <mirimir at riseup.net>
>> escreveu:
>>>
>>>> On 04/16/2019 08:48 AM, GTI .H wrote:
>>>>> Please, how can I use Tor to hide the origin IP in WhatsApp Android?
>>>>
>>>> Your safest option, if you must use WhatsApp, is to use it in an Android
>>>> VM, running on a small tablet, ...

Upon reflection, maybe I've missed the obvious option. Which is to just
run a Tor client on the phone, and WhatsApp with CCProxy.

So does that work?

And of course, if WhatsApp can see everything, there's no point to doing
it. And maybe that's where I was coming from. Basically, don't use a
real phone. Just an Android VM. Because that you can totally lock down.

>>> To avoid buying a Tablet, would it be possible to use this method with an
>>> Android VM running on the W10?
>>
>> I know nothing about Windows mobile devices.
> 
> 
> I did not mean Windows mobile devices, I'm talking about PC Windows 10 OS.

Oh. Sorry.

>> If it will run VirtualBox,
>>
> 
> Does it have to be VirtualBox? The W10 PC OS has the HyperV which is where
> the VMs run. Is not HyperV useful?
> I searched and saw that VirtualBox also runs on the PC W10 OS.

HyperV is OK, I guess. I used it, long ago. It might run VMs faster on
Windows 10 than VirtualBox does. But there is the possibility that the
Android VM won't work well with it.

>> and the Android VM can reach the Internet, sure.
> 
> 
> I think so, which VM would not access the internet?

I said that because I thought you were using Windows mobile. For Windows
10 on a PC, there shouldn't be problems. But if there are, it might be
that the Android VM is picky about network interface hardware. pfSense
chokes on some hardware, as I recall.

>> That way, you can run a
>> VPN client on the W10, and connect the Android VM through it. Or via
>> Tor, if that works.
>>
> 
> How would it be?
> Do I create a VM, install Android on it (if that's possible), and configure
> the VM Proxy with the Tor Socket with Tor open?

Yes, you run a version of Android that's been tweaked to run as a VM.
The host machine provides a "fake WiFi" connection for it. There's no
cellular account.

If you can use WhatsApp via a Tor SocksPort, using CCProxy or whatever,
that would be simplest. But Tor doesn't route UDP, so as I've said, you
need to verify that WhatsApp works without UDP connectivity.

If you need UDP for WhatsApp, and also want Tor-level anonymity, you'll
need to route a VPN through Tor. That's doable, because OpenVPN has a
socks-proxy option, and will use a Tor SocksPort. But you need to use
the VPN in TCP mode, because Tor doesn't route UDP.

You could run the VPN-via-Tor thing in the host machine, and the Android
VM would reach the Internet through the VPN tunnel. Or you could use a
gateway VM. I recommend using a gateway VM, because it gives you some
isolation, and it's easy to lock down with firewall (iptables) rules.

> What is the VM for? Not to leave vestiges in the HD of the PC?
> 
> What is the function of each item?
> * VM: Do not leave traces in the HD of the PC?

The VM is the Android device, which runs your WhatsApp client. There is
no separate smartphone. You can lock down the Android VM, so WhatsApp
can't see anything from the host machine. Such as your ISP-assigned IP.

> * VPN: Avoid Government / ISP Tracing?
> * Tor: hide IP from source?

Both Tor and VPNs protect you from observation by your ISP. And to some
extent, from governments. And both prevent WhatsApp, and your contacts,
from knowing your IP address.

Tor is far^N better at that than VPNs are. But if WhatsApp won't work
directly via Tor, you'll need a VPN.

> Would it be this?
> 
> 
>>>> which uses WiFi for connectivity. You can
>>>> lease real mobile SIMs from sites like https://speedyverify.com/ and do
>>>> it ~anonymously using well-mixed Bitcoin.
>>>>
>>>
>>>   and this site https://www.receive-sms-online.info/ is free, is not it
>> the
>>> same thing?
>>
>> Sites like that provide shared virtual mobile numbers. Some services
>> won't accept them.
> 
> 
> I'm going to test this week, but I think WhatsApp should accept this site.

As Cyaniventer noted, using services like that would be totally
insecure. I suppose that the same argument applies to Speedyverify, but
at least they're (hopefully) not sharing your SIM with others.

>> Also, phone numbers for WhatsApp accounts are really
>> the account IDs. So you need something that's ~permanent. Using that
>> site I linked, you actually buy SIMs. They just plug them into their
>> system, when you need to use them. As far as I know, they don't charge
>> "rent" for SIMs. You just buy "five uses" (or whatever) packages.
>>
> 
> As anonymous, we do not need permanent or private WhatsApp accounts IDs.

Sure, but it needs to work for a while, at least.

>>>> I don't know whether WhatsApp absolutely requires UDP.
>>>
>>>
>>> Me neither, I saw this in a forum that talks about the ports used by
>>> WhatsApp.
>>>
>>>
>>>> If it does, then
>>>> using Tor would be difficult. You'd probably need to route a TCP-based
>>>> VPN service through it. Or instead, you could just use a VPN service, or
>>>> better, a nested VPN chain. I could offer more information if you like.
>>>>
>>>
>>> Of course I want any information that can solve this problem, 10 years
>> ago
>>> I look for a solution and I thought that now with the new technologies
>> this
>>> could be possible.
>>
>> Find out whether WhatsApp really needs UDP. If it does, you can email me
>> off-list, and we can discuss options.
>>
> 
> Reliable information would be from WhatsApp (WA) and I did not find them,
> or from our tests. I thought about locking the UDP ports on my router and
> see if the WA works.
> I saw on the WA website that WA uses a proprietary protocol as well.
> Yes, we can talk by PMs if needed, but at the moment I do not have much to
> talk about, if you have, please PM me.
> 
> 


More information about the tor-talk mailing list