This application takes care of your connection, NOT what's your sending or receiving! This means you must use applications
providing enough privacy in order to avoid sending out your complet device information.
We were told some people seem to use orWall on their android device with stock browser. Without any settings. Meaning they are sending away their information like browser type, device type and, even, MAC or some hash strings.
Of course this isn't the right way to use Tor or any other Onion Router system.
Of course this is the best way for you to be tracked down.
Please be sure of what you're doing. If you want to visit hidden services, please use Orfox or any privacy-aware browser! orWall doesn't take care of what your apps send to the Net. At all. And won't do it. Never. This is not orWall goal. And will never be.
orWall will force selected applications through Orbot
while preventing unchecked applications to have network access.
In order to do so, it will call the iptables binary. This binary, present on your Android device, requires superuser access (aka root). It's the application that manages the firewall on Linux and, by extension, on Android.
In short, orWall will add special iptables rules in order to redirect traffic for applications through Tor; it will also add required rules in
order to block traffic for other apps.
The redirection is based on the application user id. Each android application runs as a dedicated user, and iptables has support for traffic filtering based on the process owner, meaning it's really easy and pretty safe to do this kind of thing on an Android device.
This application takes care of IP connections only, not GSM. It won't protect you if an attacker sends commands to your baseband through SMS, for example.
Also, on some Android versions (at least 4.1.1), the init-script will not work, meaning you may have outgoing connections before orWall starts.
The application works in two stages: first, an init-script will block all incoming and outgoing traffic. This should prevent leaks, knowing Android sends
stuff before you can even access the device.
Second stage comes once the device is fully booted: orWall itself takes the lead on the firewall, and add required rules in order to allow Orbot traffic, and redirect selected application to Orbot TransPort.
We cannot catch the uninstall event in order to make things, meaning you have to remove the init-script by hand.
In case the init-script is still present, you can remove it from the shell (ADB or any root-supporting Terminal application):
su mount -o remount,rw /system rm -f /system/etc/init.d/91firewall mount -o remount,ro /system reboot
iptables -vnL -t nat;
Great news, thanks! Just create a fork and submit pull-requests. We're opened for new features, bug corrections and so on, feel free to help.
We're seeking people for translations, bug swatting, read proofing.
We're also wanting to add the following features to orWall:
There's a trademark on "Tor", and it seems Tor Project wants to enforce it.
Kindly, that said (and I emphasize this fact). So, in order to both respect the trademark and avoid useless discussions, I prefered to change the name to something else.
All is fine now :).
Long live orWall, your new Onion Router Firewall!