On Thu, Jun 16, 2016, at 10:37 PM, Tom Ritter wrote:
On 16 June 2016 at 18:45, Amogh Pradeep amoghbl1@gmail.com wrote: Is a code audit the most efficient and reliable way to look for proxy leaks? (At least at this stage?)
I think he means a few things by this, or at least we have a few tasks underway: - mentor (me) reviewing code quality and implementation choices for how proxy features were added - inspection of esr45 Android Java code for new network code and other potentially leaky / deanon features - review of tor browser, noscript and other mobile relevant extensions for portability to android
I would do dynamic analysis by setting up a bridge and a proxy, exercising lots of different functionality of the app (HTTP, HTTPS, FTP, update checking, safebrowsing disabling/enabling, extension installation, extension update checking, extension calls to third party APIs, etc), and looking for any traffic not going to the single bridge configured.
We use NoRoot firewall on Android for doing this in a quick manner. It is like LittleSnitch.
Thanks for the feedback Tom!