Hi everyone,
For those of you interested in making Tor available on iOS, I've recently released CPAProxy, a thin Objective-C wrapper around Tor ( https://github.com/ursachec/CPAProxy).
The goal of the project is to release a free open-source browser on the AppStore that uses this wrapper and Tor to anonymize requests.
It works by starting an instance of the Tor client in a background thread of an iOS app's main process. CPAProxy connects a socket to the client's control port, send an authenticate message and asks for the bootstrap progress until it reaches 100%. When the bootstrapping is done, the app is notified that Tor's SOCKS proxy is ready to be used. From that point on, networking requests can be sent over the proxy using Apple's iOS networking classes. The github repository contains two packet traces from a test app using CPAProxy of what traffic for an HTTP request looks like when it's sent over Tor and when in plain. The repo also contains build scripts that ease the compilation of openssl, libevent and Tor for iOS without changing anything in the "normal" build process except for removing _NSGetEnviron() and ptrace() calls in src/common/compat.c, since they're are not available on the iPhone. Each of the libraries are statically linked into the application binary.
Before continuing with the endeavor of releasing a browser, it would help to know if there are people who think that it's not a totally bad idea to release software that uses Tor on a closed platform and to get some feedback on what security considerations are of high importance.
Some open questions I'm still looking answers for: - What webkit features have to be disabled in order to keep anonymity intact while displaying web content? - Apple's networking classes provide ephemeral in-memory URL Sessions ( NSURLSessionConfigurationhttps://developer.apple.com/library/ios/documentation/cocoa/Conceptual/URLLoadingSystem/Articles/UsingNSURLSession.html). Can those be trusted or should equivalent classes be written from scratch? - CPAProxy sets up Tor's DataDir in a temporary directory of an app's sandbox where it's not accessible by other processes. Should that directory be protected in any other way? - What is a good way of analyzing packet captures from an app using CPAProxy and Tor to see if any information leaks?
If there's anyone with opinions on the project, it would really help to hear them. On #tor-dev I'm ursachec.
All best from Hamburg, Claudiu