Tor Security for Android and Desktop Linux


Internet service providers in the United States have just been given the green light to sell usage history of their subscribers by S J Res 34, opening the gates for private subscriber data to become public. The law appears to direct ISPs to provide an "opt-out" mechanism for subscribers to retain private control of their usage history, which every subscriber should complete.

This comes at an interesting time for the new Trump presidency, as he appears to be preparing the Justice Department to prosecute Susan Rice for accessing telephone records of his associates while she was the National Security Advisor for the Obama administration. It is ironic and unconscionable that President Trump has chosen to erode internet usage privacy for his constituents while fiercely defending the telephone records of those closest to him.

The Tor Project presents an effective countermeasure against hostile and disingenuous carriers and ISPs that, on a properly rooted and capable Android device or Linux system, can force all network traffic through Tor encrypted entry points (guard nodes) with custom rules for iptables. This action renders all device network activity opaque to the upstream carrier—barring exceptional intervention, all efforts to track a user are afterwards futile.

Orbot for Android

A rooted Android device is required for the highest levels of service for Tor and is now a "must-have" for users who place great value on privacy. Android stock devices (where root is controlled by the Original Equipment Manufacturer [OEM] and/or the carrier) are able to use the network with applications that are aware of the local Tor client, but full root control of User ID zero is a precondition for total obfuscation of device network traffic. Carriers and OEMs work very hard to lock devices and prevent users from rooting, but they are also quite lazy in applying security updates, and a thriving industry has emerged for Android owners seizing privileged access by exploiting security flaws. A few relevant resources for rooting are Sunshine, KingRoot and KingoRoot. Depending upon the hardware model, these programs can be effective in breaking Android systems free. Research on these tools and methods is best conducted in the discussion forums for XDA Developers.

Not all rooted devices are capable of using the full services of Tor. Of particular note is the Samsung Galaxy S7, which appears incapable of running the standard Orbot client, and will use only the basic modes of the network with a newer alpha release even when rooted. If your device is so constrained, it may be time to consider a downgrade.

Note that Android Pay and Samsung Pay specifically will not function on rooted devices. Networking performance will noticeably decline while using Tor. Google web pages also will present constant "captchas" that impede access when run through Tor. These limitations are now a small price to pay in light of current events.

A proper Tor installation on Android includes both Orbot and Orfox, both products of The Guardian Project. Orbot is the Tor client control agent, and it can provide either a local proxy for Tor-aware applications or, granted root access, force all traffic to Tor entry points (guard nodes). Orfox is a custom version of the Firefox web browser with several additional add-ons and custom privacy settings. The Tor Project recommends that Orfox should not be modified, either by adding or removing add-ons or modifying the privacy related settings—load classic Firefox for this activity.

The best way to load Tor software on any Android device (rooted or not) is via the F-Droid Repository, which accepts contributions only in source code form and produces packages themselves for their binary repository. Orbot is also available on Google Play, but the F-Droid source is more trustworthy. F-Droid will provide upgrade alerts for its installed applications, which is a valuable feature for both Orbot and Orfox.

To load F-Droid, first enable third-party application installation (Settings→Security→[Enable] Unknown Sources), then Download F-Droid and install it, then open. Click the settings in the upper-right corner, and configure the repositories.

Enable the entry for the Guardian Project. Enable them all, if desired. Click the circular reload, and allow F-Droid several minutes to re-synchronize.


Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.